Open Bug 287294 Opened 20 years ago Updated 2 years ago

"Save as draft" wants to sign the message, asks for password

Categories

(MailNews Core :: Security: S/MIME, defect)

Product:
MailNews Core
Component:
Security: S/MIME
Platform:
x86
All
Type:
defect

Tracking

(Not tracked)

People

(Reporter: Biesinger, Unassigned)

References

Details

(Whiteboard: [kerh-coz][psm-smime][psm-roadblock]) 

checkout finish: Son Mär 20 17:46:21 CET 2005
linux, gtk2/xft, suite

If I enabled digital signatures for a mail account, saving as a draft will ask
for my master password in order to sign the message. This is annoying especially
when used with autosaving, since a seemingly random password prompt will come
up. Also, it seems premature to sign a message long before it will be sent, if
at all.
Whiteboard: [kerh-coz]
OS: Linux → All
There is no value in Digitally Signing a draft message. A S/MIME signature ensures a message has not changed since it was signed. Therefore if a Draft Message was to be signed and placed in draft and then retrieved from draft and altered; by rights Thunderbird should not permit any changes to the message in any way. Only when a message is in its final form should ts digital signature be applied so that any recipient can immediately tell if the message was altered in anyway via transmitting to the recipient of the message for whom the message was signed.

If I receive a S/MIME digitally signed message and it HAS been altered I get a strong warning on receipt that the original message may have been tampered with or has been attempted to be opened...etc

The same situation prevails for any of my recipients. 

IF a recipient of one of my digitally signed message is not the same person as the addressee the envelope WILL NOT OPEN. This is a common issue for companies or individuals who change their email address internally and maintain the same display name. In this case all past digitally signed messages are not accessible as they were signed to 1 and 1 only recipient and that cannot change unless you want to loose the ability to view past stored messages in local folders.

This situation is not as bad IF the signature has no public Certifying Authority as in self generated signatures which offer no value unless public Keys/ Private keys are exchanged between 2 people well before signing messages commences.
QA Contact: s.mime
Retracted 


Signing a message is essentially attesting "I said this and I stand by it".  That is *not* appropriate for a draft message.  In a worst case, your draft is picked up in a forensic analysis and then they hold you to it when you didn't mean it.

*If* encrypting is selected, then the message should be saved encrypted to self (it wouldn't really hurt to do that for all messages, but that's another debate), but in any case, would be encrypted with a public key so you wouldn't have to be prompted for the password all the time, nor if you actually clicked "Save as Draft".

*Signing* the message does not affect who can read it (unless the certificate has expired, that is also bogus: a warning should pop up, but you should be able to still read your old messages).

If a message is *encrypted* to a recipient, you should be able to still read the message as long as you have the private key and the passphrase for it.
I would trust that the recipient has nothing to do with internal passphrase, however we need the ability just to attach the public Key in the first instance and encryption without signature, even if in draft is not inkeeping with S/MIME functionality...I digress.

We constantly separate the Signature functionality (providing absolute
authenticity and in line with International Standards) without considering the
encryption aspect. Functionally the two should not be separated

This is a very nice fix around however the beauty if having Draft Messages
Signed AND encrypted to self is not available if we do this.

In countless number of times any one in a .MIL or .GOV or .IT and many .COM
industries is required to encrypt all messages either in draft or sent is
Mandatory.

There are far too many stories of laptops being left at Airport Lounges with
unencrypted/unsigned drafts and where encryption of the HDD has not been
undertaken that have made front page stories, especially when they are left
behind by ANY person that uses a Laptop and who work demand encryption of ALL
Emails.

This is not a nice to have, feature.

Whilst you continue to ignore full S/MIME functionality your marketplace
acceptance is insurmountably depleted. 


In the above situation AS the message is mealy being saved to oneself AND
S/MIME signing and subsequent encryption is required to either autosave or Save
or Save As - all this is required is that the code be altered not to prompt for
the master password. However upon retrieval of such a signed AND encrypted
message the password MUST be requested.

This should NOT really be difficult code surely a few IF THEN statements could
provide the above  

Resources:
http://www.verisign.com/products-services/security-services/pki/index.html
http://iase.disa.mil/pki/dod-cp-v90-final-9-feb-05-signed.pdf
(Contact Author secure@aphofis.com if unable to view above)I will make it
available. Scott
http://www.ietf.org/html.charters/pkix-charter.html
http://www.semper.org/sirene/outsideworld/standard.html
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdf
http://java.sun.com/j2se/1.3/docs/guide/security/cert3.html




The case you bring up seems like quite an extreme outlier.  Sure, many industries and government entities require encryption of data on laptops... but only encrypting email (and message-by-message on top of that!) is a very shoddy solution, and would in practice have about as many holes as an acre of swiss cheese.  The only serious way to protect data on something like a laptop is with HDD encryption -- which is not that difficult to do today.

I second comment #4, and would argue that the case of security-conscious entities who put a higher premium on encryption draft messages than on encryption a the hard drive they reside on is a complete non-issue.
No so many holes - Microsoft offers password just to open the email client - This is often viewed as sufficient particularly as the data file .PST  becomes inaccessible when Microsoft Password to "Outlook" is employed. 
(In reply to comment #7)
> No so many holes - Microsoft offers password just to open the email client -
> This is often viewed as sufficient particularly as the data file .PST  becomes
> inaccessible when Microsoft Password to "Outlook" is employed. 
> 

And I really wish Thunderbird offered that kind of profile protection!
But that is *much* different (and much better) than encrypting each singular piece of email with an S/MIME certificate.  Or, as in the case with this bug report, attempting to encrypt/sign (and prompt for a password) every time it background-saves a draft copy of an email being composed under a timed-out certificates profile.

There is probably another bug report out there asking for what you just described Outlook doing.  And it's probably even older than this one.
The single .PST file as a monster in Business. Something I do not want to see ever. M$ has enough problems with the outrageous size the file gets it gets to and company I.T guys hate it. You know the sayine - never put your eggs into one basket.
Absolutely concur with comment #4
Absolutely concur with comment #4
Product: Core → MailNews Core
People asking for this for years... Can anybody from Mozilla team inform us about plans to unimplement this annoying feature (signing drafts) ?
Assignee: kaie → nobody
Whiteboard: [kerh-coz] → [kerh-coz][psm-smime][psm-roadblock]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.