Package: semi Version: 1.14.6+0.20070618-4 Severity: normal While investigation some communication problems between Wanderlust, an mail client that uses SEMI, and Thunderbird I noticed that SEMI under some circumstances does not follow the specs for creating a signed and encrypted pgp message.
According to the specs (RFC 3156, "MIME Security with OpenPGP") there
are two ways to construct a message with signed and encrypted content:
- using openpgp's method to encrypt and sign data in one process
(Section 6.2)
- using encapsulation as suggested in RFC 1847 ("Security Multiparts
for MIME: Multipart/Signed and Multipart/Encrypted"), that is:
first create MIME body with the digital signature and then encrypt
this whole body.
When in mime-edit-mode a user can toggle encryption and signing by
pressing C-c C-x e to toggle message encryption or C-c C-x s for
signing. Hence to create a encrypted *and* signed message a user can
either first toggle encryption, then toggle signing or first toggle
signing, then toggle encryption.
In both cases SEMI *should* create a signed and encrypted message that
is compliant to the specs, but it does not. If the user first toggles
encryption, then signing SEMI first creates an encrypted message and
then calculates and attaches a digital signature for the encrypted
message.
Such a message is a valid MIME message but out of the specs of RFC
3156, so I assume this a bug.
The misbehaviour is caused by the way SEMI processes the instructions
for pgp/mime for a particular message: they are stored in a list in
the order a user issues them and when creating the final message SEMI
processes the list sequentially.
Attached patch fixes this by replacing the sequential processing of
the list by two if-then-clauses that make sure that signing is always
performed before encryption.
semi-rfc3156-6.1-compliant.patch
Description: Binary data
-- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable'), (300, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages semi depends on: ii apel 10.7-3 portable library for emacsen ii emacs-snapshot [emacsen] 1:20091023-1 The GNU Emacs editor (development ii flim 1:1.14.9-4 library about internet message for semi recommends no packages. Versions of packages semi suggests: ii gnupg 1.4.10-2 GNU privacy guard - a free PGP rep ii mailcrypt 3.5.8+CVS.2005.04.29.1-12.1 An Emacs interface to the GNU Priv ii wl-beta [wl] 2.15.6+0.20090322-1 mail/news reader supporting IMAP f -- no debconf information -- OpenPGP... 0x316F4BE4670716FD Jabber.... [email protected] Email..... [email protected] ICQ....... 241051416
