Surveiller ce forum | 
Commencer une nouvelle discussion
| RE: XSMTP and eSSSecurityLabel [ Répondre ] Par : Graeme Lunt on 2007-08-14 18:06 | [forum:52886] |
|
Christophe, As far as the inners headers goes, I'd start off with including all headers and just copying the originator and submit date to the outer headers. This would give the closest comparison to signed P772. But then you'd want to look and see if you want to gateway any of these headers without breaking the signature and needing to re-sign. In which case you might want to move those headers to the outer headers. The eSSSecurityLabel is both content (e.g. P772, IMF or powerpoint) and transport (e.g. P1 or SMTP) independent. So if you use CMS to sign something you have a standard way to label it. This is reflected in the fact that the S/MIME elements of STANAG 4406 haved by moved to a more generic (i.e. not messaging specific) S/MIME Profile STANAG - STANAG 4631 (though I am not sure of its ratification status). Also, the use of CMS labelling allowing you to add additional wrappers (e.g. triple wrap) and present a different security label on the different layers, as well as make use of other features like equivalentLabels. You are not wrong, you could just sign a security label heading field and that was actually what the Protecting Content Type (PCT) did. But would need to define a label field for each content you were protecting with CMS. But if you don't define a label field, how do you label a message you don't sign? But that is another debate. It is not a complete answer to your question, I know. Graeme |
|
| RE: XSMTP and eSSSecurityLabel [ Répondre ] Par : Christophe Renard on 2007-08-14 14:47 | [forum:52885] |
|
Thanks for pointing that out Graeme, I had totally missed it. That leaves opened the question of which headers to include in an eventual internal message/rfc822 bloc. I am puzzled by the utilisation of the eSSSecurity label when the same information could simply be stored a plaintext header instead of ASN/1 (I probably still miss something). -- Christophe Renard |
|
| RE: XSMTP and eSSSecurityLabel [ Répondre ] Par : Graeme Lunt on 2007-08-14 13:37 | [forum:52884] |
|
Christophe, S/MIME does actually address the integrity of message headers, at least at the protocol level, by using a message/rfc822 wrapper - see section 3.1 of RFC 3851. It leaves the presentation issues to the client - but that would seem to fit within milimail's scope. Graeme |
|
| RE: XSMTP and eSSSecurityLabel [ Répondre ] Par : Christophe Renard on 2007-08-13 00:11 | [forum:52882] |
|
Thanks, I'll be looking forward for more on the subject. I feel that using XSMTP without integrity check on the headers, even in governemental environement is quite problematic. Sadly S/MIME even triple wrapped does not address the problem. Christophe |
|
| RE: XSMTP and eSSSecurityLabel [ Répondre ] Par : David SCHEFFER on 2007-08-09 18:19 | [forum:52878] |
|
Hi Christophe, Thanks for your interest to milimail and your question. Laurent Cailleux, the expert of xsmtp norm project has talked about the same idea during a meeting. He 's working on the v2 release. I think he 'll answer to your question soon. David |
|
| RE: XSMTP and eSSSecurityLabel [ Répondre ] Par : Christophe Renard on 2007-08-08 20:45 | [forum:52876] |
|
After re-reading the preceding threads (and Bertrand interventions), I feel my question may not be precise enough. As far as I know that the only integrity mechanism for Internet mail exchange is provided through S/MIME (*) and do not protect email headers. Considering the importance of the meta-informations in the Milimail use context, would it be feasible to use something like the S/MIME signed attributes to certify those (like ESSSecurityLabel does for classification level) ? Thanks again for your impressive work. (*) and PGP/MIME -- Christophe Renard |
|
| XSMTP and eSSSecurityLabel [ Répondre ] Par : Christophe Renard on 2007-08-08 20:30 | [forum:52875] |
|
Hi and thanks to the team for yourr efforts. I was wondering, since XSMTP users are very likely to be S/MIME users, if there would be any relation between XSMTP X-P772-Security-Classification and the ESS Security Label. Both having more or less the same purpose, and the second beeing included in the S/MIME signature it would be very interresting to use it. In a larger scope, is there any plan to include XSMTP headers into S/MIME parts to offert some integrity verification ? Thanks for all. -- Christophe Renard PS: j'ai pris la liberte de m'exprimer en anglais considerant les interventions precedentes. |
|
