Hi Joshua-- On Tue 2015-02-10 10:18:56 -0500, Joshua Rogers wrote:
> I sent an example to somebody, and they forwarded the email back to > me(as a ForwardedMessage.eml), and commented in the forward. > When I sent the email, I signed it. > When they forwarded the email back to me, despite not coming from me and > only being in the ForwardedMessage.eml, I got: "Good signature from > Joshua Rogers (Internot IT) <<removed>> " > <removed> is the email my GPG key has in it. > > Is this normal behaviour? > I assume this could be used to impersonate somebody... > > Screenshot attached to show what I mean. > > Please include me as CC on reply, as I'm not subscribed to this list. I think this is an instance of: https://sourceforge.net/p/enigmail/bugs/362/ "Spoofable signatures: a message with a pgp/mime subpart is indistinguishable from a message that is signed as a whole" (the above link may not work properly right now, as it appears that sourceforge is in some sort of disaster-recovery mode, and their site is being redirected to cloudfront) --dkg
signature.asc
Description: PGP signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
