From: Paul Elliott <paul.elliott@hrnowl.lonestar.org>
Date: Thu, 23 May 1996 15:02:01 +0800
To: elkins@aero.org (Michael Elkins)
Subject: Re: PGP MIME INTERNET DRAFT considered harmful.
In-Reply-To: <199605201710.KAA23072@muddcs.cs.hmc.edu>
Message-ID: <31a3910d.flight@flight.hrnowl.lonestar.org>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

> 
> [Note: CC'd to the pgp-mime list.]
> 
> Paul Elliott writes:
> > [Encrypted & Signed binary data.] 
> > Now when there is a data path for PGP's cyphertext, PGP provides a
> > binary data path for its plain text. Thus, the inner base64 that PGP
> > MIME internet draft requires is totally unnecessary. It will cause a 30%
> > increase in the size of those messages that are encrypted and signed and
> > large amounts of CPU time will be used applying & removing the base64.
> 
> This design decision actually serves a purpose.  The scenario is as
> follows:  Suppose you are a company which has west-coast and east-coast
> offices, and the only connectivity which exists is via the open Internet.
> Suppose further that you wished to send out a company memorandum to all
> the employees.  Obviously you will want to sign and encrypt your message.
> However, one it reaches your offices, you would like to have the encryption
> "layer" stripped leaving just the signed message.  Now, if when you generated
> that message you did not restrict yourself to 7 bits, there is a likely
> probability given todays software, that you are not going to be able to
> transmit that message over an SMTP framework.

I as you should know, I have never said that base64 should never be used.
I merely say that signatures should be taken over the original binary data.
Base64 can be used for transport as needed, but it should be a convention
that the any base64 is removed before signatures are checked.

Using this convention, it is easy to see that the node that strips encryption
could add base64 without invalidating the signature, because of the
convention that the base64 so added will be removed before the signature
is checked on the original binary data.

> 
> Now, this does present some bloat for people who do not strip the encryption,
> but it seems far better to design the protocol such that this case will
> work.
> 
> > [Signed binary data.]
> > Now let us consider the question of what PGP-MIME draft requires users
> > to sign. Suppose we want to send a signed .gif file to a sysop. The
> > sysop wants to store the .gif in his download section. Suppose the sysop
> > wants to store the signature as a detached signature so that people who
> > download it can check the authorship. But the signature proposed by the
> > PGP-MIME draft is useless for this purpose. It has MIME headers attached
> > and it has been base64'ed. People who download such a file from a BBS
> > have no use for it, unless they have MIME.
> 
> [...several other examples deleted...]
> 
> PGP/MIME is _not_ meant to be used in this fashion!  It never was!  PGP/MIME
> is only to be used for transport, not for long term storage.  If you need
> a persistent signature, you should generate a detached signature as an
> attachment.

It should allow users to use it in such a fashion! PGP MIME should
respect the wishes of the users! Software should not view users
as tools to accomplish some goal predetermined by developers, but it
should rather make it easy for the user to accomplish what the user
wants! This attitude of service causes software to be in harmony with
market forces and leads to success! (Market forces apply to freware/guiltware/
copylefted/public domain software as well as software for sale or licence.)

By existing in a context of service, PGP MIME can make encryption
easy to use and become widespread. By doing so, it can entrench
the widespread use of encryption, making it politicly impossible to
regulate it! Thus, it can confound the evil plans of those dark forces
that seek to enslave us all!

As my examples show, some users may have legitimate reasons for
wishing to attach a generally useful PGP signature to a MIME message.

Not all users are technically sophisticated, it would be nice if PGP_MIME
could accommodate such wishes.

Digital signatures are an unrevokable record of what a person believes
and attests to at a given time. Belief is an attribute of persons, that
is not subject to command, certainly not by a piece of software.

PGP MIME should allow users to sign those documents the user wishes
to sign, faithfully transmitting those signatures to the receiver. It should 
not dictate that a user will sign an unintelligible artifact of a data 
transmission system.

> 
> > If users get in the habit of signing binary files which represent
> > multimedia data, and which can not be examined with commonly available
> > inspection tools, it is inevitable and predictable that sooner or later
> > this will cause some kind of negative security event.
> 
> By this argument nobody should bother signing e-mail or news posts.  I
> haven't seen any good tools to handle this easily for PC's and Macs.
> New proposals have to be made before the tools become available.  This
> draft is the result of experience with what does and doesn't work.
> For example, the application/pgp content-type which many people like
> is horribly broken for what it's probably used for 95% of the time.
> 
> > There is no good reason to sign the base64 rather than the original
> > data. Once a file has been base64ed, the file can not be examined
> > with the usual inspection tools.
> 
> Yes, base64 is just another stream of bytes, but there are FEW places on
> the Internet SMTP framework that can support BINARY transport.  BINARY
> streams often contain very long lines which existing software simply can't
> handle.

You are ignoring an already exiting binary transport, that exists right now.
Namely, PGP provides a BINARY datapath for its plaintext!

In the future, other binary transports will become more common.
7 bit datapaths will become less common.
Pressure will build for PGP MIME to support binary datapaths.

PGP MIME will have to go through a complicated migration path
to phase in this transition. All this complexity can be avoided by
doing the right thing now.

Make the method of representing the data for signatures independent
of the representation of the data for transport!

It might take some effort for PGP-MIME annalists and developers now.
But that effort, will be more than repaid by saving people the hassle
of having to clean up an intolerable mess later!

I do not see exactly how this should be done for multipart messages
in detail right now. That is why I have not made a specific proposal.
But I do see that it should be possible to come up with such a representation.

That is why I say that the draft should be withdrawn and sent back
for further study.

> 
> There is also another reason to sign the encoded version.  Remember that
> it also includes the content headers of that part.  This is very important
> especially for automated processing of messages.

The typical user does not necessarily know the difference between
a .gif and a .jpg file. He only knows he wants to send this pretty picture
on the screen.

Users should have a policy of only attesting to statements by digital
signature, that they know _of their own personal knowledge_ is true.
Any other policy is to court disaster.

If Malley ( the active message hacker ) hacks the content-type
MIME line, all that will happen is that the message to be sent
to the .gif viewer rather than the .jpg viewer, causing the message
to be lost. But Malley already had the ability to loose the message,
after all, he hacked it didn't he? In general, the content type line
should not be signed.

If some technically advanced user wants to sign the content-type
line, his wishes should be accommodated. But it should not be made
a requirement that technically unsophisticated users attest to things
they have no hope of understanding!

> 
> > The typical user of MIME software is not necessarily technically
> > sophisticated. When the deficiencies and disasters associated with
> > software patterned on this draft become apparent, not everyone will know
> > exactly which software component is at fault. The problems associated
> > with the draft (or its successors) may adversely affect the reputation
> > of PGP.
> 
> Bad implementations can always adversely affect your reputation, even if
> the theory behind it is solid.  The average non-technical user which you
> have been describing in this message will should not even be aware of
> the underlying details if the implementation is done correctly.
> 
> > The draft should be withdrawn. People should rethink and create a better
> > plan to combine the benefits of PGP and MIME.
> 
> You are more than welcome to submit your proposal the the pgp-mime mailing
> list.  [send mail to pgp-mime-request@lists.uchicago.edu with a subject of
> "subscribe"]

I have gotten the impression that you guys have stopped listening.
Everyone seems hell-bent on standardizing this inferior system that
will lockin a poor design. I hoped that by appealing to a larger
audience I could get more articulate and respected people to
persuade you to rethink. Perhaps some of the cypherpunks can
say something that will provoke an attack of sanity that will
stop this inexorable march toward a bad standard.


> 
> We've seen a lot of different proposals go by, and none of them have stood
> up to PGP/MIME.  From my point of view, most of the problems that people
> have with the draft is their failure to understand what it is to be used
> for.  Many people have the impression that PGP/MIME is meant to be the
> end-all-be-all for PGP.  But it's not!  PGP/MIME is meant to securely
> transmit messages across the Internet in a manner which all platforms
> can use.  PGP/MIME is text based because most transport systems in use
> are.  Nowhere is anyone saying "thou shalt not use PGP without MIME."
> I think if more people understood that, we wouldn't have so many
> objections to it.
> 
> > It should not require any additional space overhead  (more than that
> > which may be necessary for transport) when signing and encrypting.
> 
> The note in parens is interesting.  What you consider overhead I consider
> necessary for transport.

In the specific case I mentioned, (signed & encrypted) it is not necessary
for transport. It is only necessary for transport under your mis-designed
system whereby signatures must be taken over entities designed for
transport.

> 
> me

- -- 
Paul Elliott                                  Telephone: 1-713-781-4543
Paul.Elliott@hrnowl.lonestar.org              Address:   3987 South Gessner #224
                                              Houston Texas 77063

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: cp850

iQCVAgUBMaOd5PBUQYbUhJh5AQE6IwP9EjScv5K1CjOUvwBwbW0ovD5iwa/37/5q
WxI7rR8k2jArKQpBm8KKySMQs7YxQD28JU5FjS8IUJBRMkQRBkBZwUvTrWjW0Rs+
EKdyimgjd4KrsmVmHPxfAOhPjjNqUD2DVOWlRNfzc+0f+RW2Bxn3R4/XJQ3sFf5n
0kBISWaYHeg=
=HknB
-----END PGP SIGNATURE-----