[linux-elitists] Fwd: PGP signature attachments!

Sean Neakums sneakums@zork.net
Fri Sep 7 17:59:09 PDT 2001


begin  Karsten M Self quotation:

> on Fri, Sep 07, 2001 at 10:41:40PM +0100, Sean Neakums (sneakums@zork.net) wrote:
>> begin  Karsten M Self quotation:
>> > Moreover, RFC 2015 includes directives to mail handling utilities
>> > regarding integrity of messages, and how they are or aren't to
>> > modify a message text which has been signed or encrypted.  As
>> > you've certainly read my rant closely by now, you'll note the
>> > specific reference I've made to the munging issue.  Cleartext
>> > signing provides no such hints, and there is no assurance your
>> > cleartext signed message will be delivered intact.
>> 
>> People fail to check signed messages, and it's the MUAs fault for
>> allowing them to be munged in the first place?  
> 
> Please restrict yourself to putting words in your own mouth, not mine.

Note my use of the question mark.  It indicates interrogation.  A
simple "No." would have sufficed.  You may lower your bristles now, if
you wish.  Maybe you like them better that way.

> A munged signed message can't be verified regardless.  Broken mail
> handling software must be fixed.
> 
> An intact, signed, but unverified message can still be verified at a
> later date.  There's worlds of difference.

The only way to verify that a PGP-signed message is intact is to
attempt to verify the signature.  You cannot trust the transport
mechanism nor the software used to encapsulate the message AT ALL.  I
can't be any more certain that a PGP/MIME implementation has not
munged a message than I can that a plaintext PGP message has not been
munged.

>> > MIME is an established and official IETF standard.  RFC 2015 is
>> > not officially recognized, due to its draft status, but it's a
>> > fairly widely implemented standard.  The Gnus feature is, by
>> > contrast, an exploitation of a convention.
>> 
>> Given its non-ratified status, RFC2015 is merely an
>> extensively-documented convention.
> 
> No.  
> 
> It is also relatively extensively implemented.

As is software that can deal with traditional plain-text PGP messages.

-- 
"The man who laughs at standards--that man must be put down.
 We are none of us perfect; I know that.  But we must agree
 on what perfection is."
	-- Joe Gendreau, California Weights and Measures




More information about the linux-elitists mailing list