On 03/13/2013 02:36 AM, David Benfell wrote: > On 03/12/2013 03:46 PM, Daniel Kahn Gillmor wrote: >> The message i'm writing right now is not signed by me (please >> inspect the source to verify). However, when viewed in enigmail, I >> believe it will have a "Good signature" header if you already have >> my key. > > I do indeed already have your key. I'm not sure where from. Are you > involved with sks?
i kibbitz on sks-devel sometimes :)
>> This is because i've attached another e-mail from me below, and
>> that e-mail itself is signed. that is, this message has a
>> message/rfc822 subpart that itself contains a PGP/MIME-signed
>> message.
>
> Confirmed.
Just to be clear: you see an enigmail signed-message confirmation when
you view that message? I only ask because Jean-David Byer did not see one.
>> Using the enigmail UI, i see no way to distinguish which part of
>> the message is actually the signed part.
>
> It certainly doesn't highlight that the attachment is signed rather
> than the message body.
This is exactly the problem.
>> This seems to be a serious message verification/authenticity
>> concern. If anyone is unclear on the risk and is willing to
>> volunteer, i'd be willing to craft a bogus message to you from your
>> own e-mail. just send me a PGP/MIME-signed message, and i'll send
>> you back a different message "from yourself" that appears to be
>> signed by you.
>
> I'm cc'ing you directly with this message. Let's play!
You did not send a PGP/MIME-signed message this time -- you sent an
inline PGP message, which behaves slightly differently.
however, i found an old PGP/MIME-signed message from you and used it to
send you a forged message privately. It uses your old/revoked key, but
it's close enough :P
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
