Comments on: Verifying Smime content with openSSL http://lair.moria.org/blog/archives/123 Unix, Information Security & Systems Administration Fri, 25 Jun 2010 08:09:59 +0000 hourly 1 http://wordpress.org/?v=3.0.5 By: Shaun Dewberry http://lair.moria.org/blog/archives/123/comment-page-1#comment-79 Shaun Dewberry Mon, 01 Sep 2008 22:23:17 +0000 http://lair.moria.org/blog/?p=123#comment-79 Ah yes, the old corporate email disclaimer that gets bolted on haphazardly at the mail gateway, often using nothing more than a sendmail rewrite kluge. I've been fighting the battle against email disclaimers for over 5 years, specifically because of the integrity damage it does to a message. (and also cos its just a damned waste of bandwidth) I came up with three solutions - 1. Add an extra message header at the gateway, which references the URL of a message disclaimer (i.e. X-Disclaimer: Visit http://x.y/disclaimer). Not sure how well this gets through the legal minefield, but at least it doesn't mess with the email. 2. Plead ignorance, stupidity or incompetence when asked to add this functionality to corporate mail servers. ("Sorry boss, I have no idea how to do that, but I think if we spend $$$++ we can get it") 3. Try and get everyone to add the standard corporate sig/disclaimer directly in their email client. Perhaps some sort of "network notaries" system could be setup similar to Firefox extension Perspectives (http://www.cs.cmu.edu/~perspectives/firefox.html) which could turn the above "strip and verify" manual process into something more automated. Ah yes, the old corporate email disclaimer that gets bolted on haphazardly at the mail gateway, often using nothing more than a sendmail rewrite kluge. I’ve been fighting the battle against email disclaimers for over 5 years, specifically because of the integrity damage it does to a message. (and also cos its just a damned waste of bandwidth)

I came up with three solutions –
1. Add an extra message header at the gateway, which references the URL of a message disclaimer (i.e. X-Disclaimer: Visit http://x.y/disclaimer). Not sure how well this gets through the legal minefield, but at least it doesn’t mess with the email.
2. Plead ignorance, stupidity or incompetence when asked to add this functionality to corporate mail servers. (“Sorry boss, I have no idea how to do that, but I think if we spend $$$++ we can get it”)
3. Try and get everyone to add the standard corporate sig/disclaimer directly in their email client.

Perhaps some sort of “network notaries” system could be setup similar to Firefox extension Perspectives (http://www.cs.cmu.edu/~perspectives/firefox.html) which could turn the above “strip and verify” manual process into something more automated.

]]> By: Barry Irwin http://lair.moria.org/blog/archives/123/comment-page-1#comment-46 Barry Irwin Tue, 26 Aug 2008 11:04:30 +0000 http://lair.moria.org/blog/?p=123#comment-46 Yes this does seem to be a failing in the way Thunderbird processes the S/MIME packaging. With encrypted content it does seem to work however. The question also comes on whether the CERTIFICATE is valid, or whether the Signature is valid? It would appear that no warning is issued when the signature of the .s7m is found to be valid. Certificates are ignored it appears. Yes this does seem to be a failing in the way Thunderbird processes the S/MIME packaging. With encrypted content it does seem to work however. The question also comes on whether the CERTIFICATE is valid, or whether the Signature is valid? It would appear that no warning is issued when the signature of the .s7m is found to be valid. Certificates are ignored it appears.

]]> By: Anonymous http://lair.moria.org/blog/archives/123/comment-page-1#comment-42 Anonymous Mon, 25 Aug 2008 20:19:10 +0000 http://lair.moria.org/blog/?p=123#comment-42 So, if I tell Outlook to just send the signed bit and not send the clear text mail as well, Thunderbird reads and displays the e-mail just fine, and the sif relay attaches the disclaimer as a seperate attachment (because there is no text portion for it to append to). But, to Thunderbird's discredit, it has happily parsed the .s7m attachment, without mentioning whether the cert is valid! So, if I tell Outlook to just send the signed bit and not send the clear text mail as well, Thunderbird reads and displays the e-mail just fine, and the sif relay attaches the disclaimer as a seperate attachment (because there is no text portion for it to append to). But, to Thunderbird’s discredit, it has happily parsed the .s7m attachment, without mentioning whether the cert is valid!

]]>