Hi Enigmail folks--
The message i'm writing right now is not signed by me (please inspect
the source to verify). However, when viewed in enigmail, I believe it
will have a "Good signature" header if you already have my key.
This is because i've attached another e-mail from me below, and that
e-mail itself is signed. that is, this message has a message/rfc822
subpart that itself contains a PGP/MIME-signed message.
Using the enigmail UI, i see no way to distinguish which part of the
message is actually the signed part.
This seems to be a serious message verification/authenticity concern.
If anyone is unclear on the risk and is willing to volunteer, i'd be
willing to craft a bogus message to you from your own e-mail. just send
me a PGP/MIME-signed message, and i'll send you back a different message
"from yourself" that appears to be signed by you.
I'm not sure how enigmail can address this issue -- i think there will
need to be some sort of UI change, but i'm not sure what the options are.
One thought would be to refuse to process PGP/MIME signatures of
sub-parts (only process PGP/MIME if the message body itself is
content-type multipart/signed, but i suspect that would break many
common arrangements (e.g. this and other mailing lists make the whole
message itself multipart/mixed, put the multipart/signed original
message body as subpart, and then append a text/plain footer part).
Some other MUAs (e.g. notmuch) do not have this problem because their
signature verification indicators are bound directly to the part of the
e-mail that is signed.
Any suggestions for how to address this?
--dkg
--- Begin Message ---
On 02/06/2013 12:01 PM, John A. Wallace wrote:
> I have seen in some cases where the email message that is signed by gpg such
> as we would see with Enigmail includes not only the body of the message but
> also the personal signature of the author below the body of the message,
> which might include his or her name and other identifying information (e.g.,
> workplace, title and whatnot) or might include a humorous or witty saying
> below it. On the other hand, I have also seen some email programs exclude
> the author's personal signature and such at the bottom of the message and
> place this part underneath the last line of the gpg signed message. So, my
> question is whether there is an official ruling on whether it should be
> included or what is the situation on this matter? Thanks.
i don't think there is any official body to make an official ruling on
this matter.
I think it is a question of what the sender intends to sign. Some
people may consider the message incomplete without the inclusion of
their .sig; others may only be interested in sending a signed datum, and
believe that their .sig would be a distraction from the message that is
supposed to be subject to cryptographic verification. Some people might
fall in one camp or the other depending on what they're doing or who
they are communicating with.
the answer is: "it depends".
--dkg
signature.asc
Description: OpenPGP digital signature
--- End Message ---
_______________________________________________
enigmail-users mailing list
[email protected]
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
