On this site
Exchange related blogs
Useful links
Friday, August 11. 2006
The included Chain and Root
All digitally signed emails contain information about the certificate used to place the digital signture: the issuer ID and the certificate serial number. This information is needed to retrieve the certificate and verify the signature. It is possible that the certificate is unknown to the mail application that is trying to do verification. In this case, the application can use the certificates appended to the signature, if they were added by mail sending agent. To perform full verification of the signature, validity of the certificate must be checked as well. This is why all the certificates in the validation path can be included in the signature as well.
Imagine a message containing a simple 'Hello!' text and weighing 13KB. Sounds suspicious, doesn't it? So did such message seem to Alice and therefore the Test Team set out to look for the source of the heavy weight of the simplest of messages.
The message was marked as digitally signed, so the initial suspicion fell on the signature binary data. After viewing the message with MimeViewer, the blame was put on certificates added to the signature by the sending agent (Outlook Express in this case):
But why did Outlook Express add 8 certificates to the signature? Even more, 3 of them are duplicated in the package, increasing the size withouth any reason. MimeViewer comes to help again showing that there are two main certificates added to the message: signature certificate and preferred encryption certificate mentioned in SMIME-preference signature part.
OE simply put both certificates and all their paths, 4 certificates long, into the signature.
And the winner is ....... Outlook Express TM, with its ability to turn a six-character-long messge into a 13KB nightmare of 8 certificates. What is interesting, OE is equally well able to send the shortest signed message of the mail clients tested. The difference lies in the configuration of the sending application, OE in this case.
Other application allow configuring the number of certificates which will be sent too:
- in OWA the administrator can chose between sending only the signature certificates or all certificates in the chain, with or without the root
- OE can only be configured to send no certificates or all certificates, root inclusive
- other clients will add certificates or not on their discretion
makes 8 certificates altogether. However, both certificates were issued by the same CA, so they share the certification paths, each one 3 certificates long. This explained the "8 certificates, 3 duplicates case", but it raised next questions: what is the largest message that can be produced with real-world certificates and which mail client will produce it?
Although in this extreme case adding signature certificate chain enlarges the message dramatically, it is generally a good idea to include the certificates (without the root certificate) in the message to faciliate verification of the signature. With typical, larger messages the signature binary data, including the certificates, is only a small percent of the message size and does not create any problems.
Cryptigo Websites
Calendar
|
September '10 | |||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
