RFC 2480 (rfc2480) - Page 2 of 6


Gateways and MIME Security Multiparts



Alternative Format: Original Text Document



RFC 2480         Gateways and MIME Security Multiparts      January 1999


          For example, a signature that covers only object data and not
          the object's MIME labels would allow someone to tamper with
          the labels in an undetectable fashion.  Similarly, failure to
          encrypt MIME label information exposes information about the
          content that could facilitate traffic analysis.

          Composite MIME objects (e.g., multipart/mixed, message/rfc822)
          also have to be secured as a unit.  Again, failure to do so
          may facilitate tampering, reveal important information
          unnecessarily, or both.

    (2)   Gateways that deal with MIME objects have to be able to
          convert them to non-MIME formats.

          For example, gateways often have to transform MIME labelling
          information into other forms. MIME type information may end up
          being expressed as a file extension or as an OID.

          Gateways also have to take apart composite MIME objects into
          their component parts, converting the resulting set of parts
          into whatever form the non-MIME environments uses for
          composite objects. Failure to do so makes the objects unusable
          in any environment that doesn't support MIME. In many cases
          this also means that multi-level MIME structures have to be
          converted into a sequential list of parts.

    (3)   Security services have to be deployed in an end-to-end
          fashion. Failure to do so again can lead to security
          exposures.

          An integrity service deployed at something other than a
          connection end point means a region exists between the point
          where the integrity service is applied and the actual end
          point where object tampering is possible. A confidentiality
          service deployed at something other than a connection end
          point means a region exists where the object is transferred in
          the clear. And worse, distributed private keys are usually
          necessary whenever someone other than the originator applies
          an integrity service or someone other than the recipient
          removes a confidentiality service, which in turn may make
          theft of private key information a possibility.

          All of these issues can be addressed, of course. For example,
          it may be possible to use multiple overlapping security
          services to assure that no exposure exists even though there
          is no end-to-end security per se. And keys can be distributed
          in a secure fashion. However, such designs tend to be quite
          complex, and complexity in a security system is highly



Freed                       Standards Track