[Users] [Bug 4152] New: Add support for triple-wrapped S/MIME (RFC 2634, part of RFC 5751 for S/MIME 3.2)

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Wed Jan 30 15:38:25 CET 2019


            Bug ID: 4152
           Summary: Add support for triple-wrapped S/MIME (RFC 2634, part
                    of RFC 5751 for S/MIME 3.2)
    Classification: Unclassified
           Product: Claws Mail
           Version: other
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Plugins/Privacy/SMIME
          Assignee: users at lists.claws-mail.org
          Reporter: thomas.orgis at uni-hamburg.de

MS Outlook creates triple-wrapped mails when encrypting using S/MIME, which
apparently leads to some parsing issues with current Claws Mail (content
visible, but headers missing in message view and also compose view of a

These messages seem to work fine in other clients (namely, Apple Mail on
OS X or iOS). Thunderbird has an aging patch pending since 12 years
(https://bugzilla.mozilla.org/show_bug.cgi?id=380624).  The UI issues
indeed need some thought: How are inner and outer signatures displayed
to the user? What to do if one of them does not check?

The wrapping of S/MIME-encrypted content within another S/MIME blob for
adding an outer signature is called triple-wrapping and was described
back in 1999 in RFC 2634 (https://tools.ietf.org/html/rfc2634), which is
referred to in the S/MIME standard (version 3.2 / RFC 5751, 
https://tools.ietf.org/html/rfc5751).  A conforming S/MIME MUA should at
least be able to correctly handle incoming triple-wrapped mails.

PS: Thinking about security implications, I realized that this does not
really prevent ciphertext tampering attacks, S/MIME needs something along
PGP's MDC. Triple-wrapping can help, though, in case the UI offers the
choice to only automatically decrypt messages that were correctly wrapped
and signed by someone in a whitelist.

You are receiving this mail because:
You are the assignee for the bug.

More information about the Users mailing list