Open Bug 1731600 Opened 4 years ago Updated 1 year ago

Enforce Content-Transfer-Encoding (CTE) 7bit header for OpenPGP signed messages

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 91
Type:
enhancement

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(1 file, 1 obsolete file)

Bug 1731600 - Enforce Content-Transfer-Encoding 7bit header for OpenPGP signed messages. r=mkmelin
48 bytes, text/x-phabricator-request
Details | Review

RFC 3156 states that multipart/signed messages MUST use Content-Transfer-Encoding: 7bit

In my understanding, 7bit is the default when the header is omitted.

Unfortunately, we're seeing some mail transport agents that add the "Content-Transfer-Encoding 7bit" line to messages, even inside nested parts of MIME messages, an example is bug 1731109.

For multipart/signed messages, this has the negative effect that the signature validation fails.

I'm hoping that mail agents never remove such headers. Is that a reasonable assumption?

If yes, we could try to make signed messages more robust, by ALWAYS adding the Content-Transfer-Encoding header (in all parts).

Magnus, what do you think?

Flags: needinfo?(mkmelin+mozilla)

I forgot the context, but I had already planned to suggest adding the same header for the protected header. So there is at least one additional scenario where this addition would help.

Probably reasonable to always add the header for signed messages yes.
Sad as it is that Content-Transfer-Encoding other than base64 or 8bit are needed for anything these days...

Flags: needinfo?(mkmelin+mozilla)
Blocks: 1731109
Assignee: nobody → kaie
Status: NEW → ASSIGNED
Attachment #9242062 - Attachment is obsolete: true
Summary: Enforce Content-Transfer-Encoding 7bit header for OpenPGP signed messages → Enforce Content-Transfer-Encoding (CTE) 7bit header for OpenPGP signed messages
No longer blocks: 1731109
See Also: → 1731109

(In reply to Kai Engert (:KaiE:) from comment #0)

RFC 3156 states that multipart/signed messages MUST use Content-Transfer-Encoding: 7bit

In my understanding, 7bit is the default when the header is omitted.

I think you have misunderstood something. RFC 3156 requires the content to be 7bit. But not Content-Transfer-Encoding: 7bit.
base64 or quoted-printable is the suggested solution:

RFC 3156 - 3. Content-Transfer-Encoding restrictions

   [...]  For this reason all data
   signed according to this protocol MUST be constrained to 7 bits (8-
   bit data MUST be encoded using either Quoted-Printable or Base64).
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: