On 03/12/2013 06:46 PM, Daniel Kahn Gillmor wrote: > Hi Enigmail folks-- > > The message i'm writing right now is not signed by me (please inspect > the source to verify). However, when viewed in enigmail, I believe it > will have a "Good signature" header if you already have my key.
My Thunderbird, equipped with enigmail, makes no mention of any signing. When I looked at the source, I could see the two MIME pieces and the signature, but enigmail seemed to ignore all that. > > This is because i've attached another e-mail from me below, and that > e-mail itself is signed. that is, this message has a message/rfc822 > subpart that itself contains a PGP/MIME-signed message. > > Using the enigmail UI, i see no way to distinguish which part of the > message is actually the signed part. > > This seems to be a serious message verification/authenticity concern. > If anyone is unclear on the risk and is willing to volunteer, i'd be > willing to craft a bogus message to you from your own e-mail. just send > me a PGP/MIME-signed message, and i'll send you back a different message > "from yourself" that appears to be signed by you. > > I'm not sure how enigmail can address this issue -- i think there will > need to be some sort of UI change, but i'm not sure what the options are. > > One thought would be to refuse to process PGP/MIME signatures of > sub-parts (only process PGP/MIME if the message body itself is > content-type multipart/signed, but i suspect that would break many > common arrangements (e.g. this and other mailing lists make the whole > message itself multipart/mixed, put the multipart/signed original > message body as subpart, and then append a text/plain footer part). > > Some other MUAs (e.g. notmuch) do not have this problem because their > signature verification indicators are bound directly to the part of the > e-mail that is signed. > > Any suggestions for how to address this? > > --dkg > > > > _______________________________________________ > enigmail-users mailing list > [email protected] > https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net _______________________________________________ enigmail-users mailing list [email protected] https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
