On 30 Nov 2013, at 18:48, Scott Blystone wrote:
The release notes of the latest developer build contained the
following text:
"Revision 3872 (Friday, November 29, 2013)
The following can be used to change the hash function used for OpenPGP
messages:
defaults write com.freron.MailMate MmOpenPGPHashFunction -string
sha256
Do not use this if you do not know what you are doing."
What am I missing here? I have many years encryption experience but I
do not understand the purpose of this parameter.The digest and hash
functions are determined when the actual key itself is generated and
not by the mail client!
First, I'm certainly no security expert and I welcome any
comments/corrections to the following.
For OpenPGP the hash function is not set in stone, but you can set a
list of preferred hash functions, e.g., one of my keys has the following
list:
Digest: SHA256, SHA1, SHA384, SHA512, SHA224
Unfortunately (embarrassingly) MailMate ignores this setting. It simply
enforces the use of SHA1 to make sure that the “Content-Type” of a
message shows the correct hash function in the so-called `micalg`
parameter. I have it on my ToDo to improve this. The setting above was a
quick fix for a user with a key which could not be used with SHA1 at
all.
For S/MIME in MailMate, it's kind of worse, and it's partly because I'm
not 100% sure how it works for S/MIME certificates. MailMate doesn't
(and maybe cannot?) enforce a particular hash function, but MailMate
also doesn't try to find out which hash algorithm is used.
The `micalg` parameter is simply set to `sha1` even if it's not true.
It's actually my impression that this parameter is ignored most of the
time, but I would of course like it to be correct. So far, I've figured
out how to read the “Signature Algorithm” of a certificate and I've
found so-called OIDs for various popular hashing functions. (I cannot
seem to find any Apple API to do this more easily.) For example,
* sha1WithRSAEncryption:
http://www.oid-info.com/get/1.2.840.113549.1.1.5
* sha256WithRSAEncryption:
http://www.oid-info.com/get/1.2.840.113549.1.1.11
Documentation is scarce and I'm not sure this is the right way to go.
For example, I just tried signing a message with Apple Mail using a
certificate with a Signature Algorithm of “SHA-256 with RSA
Encryption”, but the `micalg` parameter was still `sha1`. Obviously, I
need to do more testing to understand this :-)
--
Benny
_______________________________________________
mailmate mailing list
[email protected]
http://lists.freron.com/listinfo/mailmate
