Russ: Is there some more work to be done here to address the CBC/CFB issues? Even if the encapsulation has AEAD support, maybe there's some negotiation thingy?
On Mon, May 14, 2018, 12:37 Russ Housley <housley@xxxxxxxxxxxx> wrote:
_______________________________________________On May 14, 2018, at 12:35 PM, Paul Wouters <paul@xxxxxxxxx> wrote:On May 14, 2018, at 12:29, Russ Housley <housley@xxxxxxxxxxxx> wrote:
We are working on text for S/MIME that says that each portion of a MIME multi-part needs to be handled in its own sandbox. The direct exfiltration that is described happens because the mail user agent glues the various portions together for display to the user, which in the example on the web page causes an image to be fetched from the attacker's website with the message plaintext as part of the URL.
So that’s the bandaid. What and where will work be done on a solution?LAMPS just sent an update to the S/MIME message document to the IESG. My guess is that there will be discussion on the spasm@xxxxxxxx mail list.Russ
Spasm mailing list
Spasm@xxxxxxxx
https://www.ietf.org/mailman/listinfo/spasm
