(In reply to comment #8)
> > The replacement message even proves that the signature was valid before.
> No, it does *not*. That's what I said in my initial description.
Depends on your assumtions. Of course not for a court trial any more.
You can't avoid that loss when removing the attachment.
But the message is a marker for the mailbox owner that the signature was
valid in the moment when he stripped the attachment. Of course with the
assumtion that nobody broke into the mailbox and that the incoming mail did not
already contain that message. But that's up to the recepient, quite obvious.
More is not possible when the message was altered.
The modification could be signed by the recepient, but that does not
help him very much.
With forwared messages the forwarder can sign again, that's
already implemented.
> Any implementation would have to ensure that the msg can only be added by the
> local application. That means: Not in body or even headers, but stored in
> internal meta-data, in ways that provably cannot be seeded by incoming, fwrd
> etc. msgs, and displayed in the header pane.
But that would mean new data structures and complexity for the implementation.
The security gain is not very big. The case when the incoming new mail already
contained that removal message is quite ovious for the recepient. He could
simply delete that unauthorized mail. Or Mozilla would additionally add a
comment like "warning: removal message forged" ...
> Note that this msg would be lost when looked at on IMAP on a different machine,
> after a copy to another machine etc., and definitely when forwarded (see above).
> THe msg would then appear completely unsigned (which it is).
Yes, but it would be impossible to secure such a long trust chain.
We should stay with the simple "signature removed" marker.
Everything else would be very difficult and could not improve security
very much.
> > Of course somebody could break into the user's machine. But then
> > also digital certificates could be altered.
> No, they could not. The display could, yes. But a break-in is not my main concern.
I would agree that we assume trust for the own machine and mailbox.
That is not sufficient for court trials, but if you want that we could
not implement the removal feature at all.
Securing the removal message would mean kind of local signing with local
certificates. These could be altered by somebody with access to this machine.
It would help when the messages are stored in an untrusted IMAP folder.
You will run into really complex security issues.
So, just keep it simple.
Just strip off the signature and insert the removal message.
(In reply to comment #8)
> > The replacement message even proves that the signature was valid before.
> No, it does *not*. That's what I said in my initial description.
Depends on your assumtions. Of course not for a court trial any more.
You can't avoid that loss when removing the attachment.
But the message is a marker for the mailbox owner that the signature was
valid in the moment when he stripped the attachment. Of course with the
assumtion that nobody broke into the mailbox and that the incoming mail did not
already contain that message. But that's up to the recepient, quite obvious.
More is not possible when the message was altered.
The modification could be signed by the recepient, but that does not
help him very much.
With forwared messages the forwarder can sign again, that's
already implemented.
> Any implementation would have to ensure that the msg can only be added by the
> local application. That means: Not in body or even headers, but stored in
> internal meta-data, in ways that provably cannot be seeded by incoming, fwrd
> etc. msgs, and displayed in the header pane.
But that would mean new data structures and complexity for the implementation.
The security gain is not very big. The case when the incoming new mail already
contained that removal message is quite ovious for the recepient. He could
simply delete that unauthorized mail. Or Mozilla would additionally add a
comment like "warning: removal message forged" ...
> Note that this msg would be lost when looked at on IMAP on a different machine,
> after a copy to another machine etc., and definitely when forwarded (see above).
> THe msg would then appear completely unsigned (which it is).
Yes, but it would be impossible to secure such a long trust chain.
We should stay with the simple "signature removed" marker.
Everything else would be very difficult and could not improve security
very much.
> > Of course somebody could break into the user's machine. But then
> > also digital certificates could be altered.
> No, they could not. The display could, yes. But a break-in is not my main concern.
I would agree that we assume trust for the own machine and mailbox.
That is not sufficient for court trials, but if you want that we could
not implement the removal feature at all.
Securing the removal message would mean kind of local signing with local
certificates. These could be altered by somebody with access to this machine.
It would help when the messages are stored in an untrusted IMAP folder.
You will run into really complex security issues.
So, just keep it simple.
Just strip off the signature and insert the removal message.