Hi,
I found recently that when someone sends me an E-mail signed by another,
the entire E-mail is treated as signed by that user. To recreate this
issue, you can do the following in Mozilla Thunderbird:
- Take an E-mail signed with PGP/MIME and save it as whatever.eml
- Optionally, open the .eml file and take out the "From", "To", etc.
headers (will cause the E-mail to take up less space at the bottom)
- Send an E-mail to anyone using Enigmail with that .eml file as an
attachment
- Enigmail treats the entire message as being signed by the signee in
the .eml file
I'm not sure if this mailing list will munge my attachment in some way,
but I have attached a signed message using a key I do not own as a test.
I'm not sure this is the expected behavior, but it seems to cause
opportunity for impersonation by anyone in posession of at least one
PGP/MIME signed message. Considering non-PGP/MIME messages embedded in a
normal plaintext E-mail will result in the message "Part of the message
signed;" along with "BEGIN ENCRYPTED or SIGNED PART" descriptors, is
there any way to turn on similar behavior for PGP/MIME messages?
Thanks,
--
Vincent Canfield
-cock-
5CB4 9CDC EAC7 97FB F8BD
C074 FD71 AD27 71A5 CC1B
--- Begin Message ---
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============4497800211716158112==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="DGK2RKKbeGURKkq97xT6dskxG6ertqRQH"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--DGK2RKKbeGURKkq97xT6dskxG6ertqRQH
Content-Type: multipart/mixed; boundary="LfIU9esm5BgGQEMc1SLnnrLIoc4ICQxxk"
From: alexskc <[email protected]>
To: [email protected]
Message-ID: <[email protected]>
Subject: thinking of distro hopping
--LfIU9esm5BgGQEMc1SLnnrLIoc4ICQxxk
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Fedora or Debian?
--LfIU9esm5BgGQEMc1SLnnrLIoc4ICQxxk--
--DGK2RKKbeGURKkq97xT6dskxG6ertqRQH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJW211/AAoJEC99/EXXYHvEM4cIAMZ05EVa/J8bakRrT2rQ/O24
A5YZ3Fumni++QlNB+mXNzBaWd7bvtCRKzfDlg6jJSV7xr5M7jnqHGabz4zA2ETM6
iX+N+tMEQGwyFW6MDsakwxLP0gnwgmESqlIcFYMZaiM0X49fJ9LsPuqfjoFz2oCr
ko7UtpvIaKfb5REnJiFOMyYFroyGj15+8M5MXltQk8z92Q5Am27vyJEeeyBVTfog
2NxZ6Zrm05wskbor9h1YtrlPajrq+oSCdAkx6KjulQWzAqRUK4MgnSxznMwW50GC
nI5xNBgoFB119eIvgXsvS6o8spCTEZR0vu+XisW7LUbor1bVDhsmMXh2BWwIKUw=
=X2ID
-----END PGP SIGNATURE-----
--DGK2RKKbeGURKkq97xT6dskxG6ertqRQH--
--===============4497800211716158112==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCjg9PT1bY29jay5saSBtYWlsaW5nIGxpc3Rd
PT09RA==
--===============4497800211716158112==--
--- End Message ---
_______________________________________________
enigmail-users mailing list
[email protected]
To unsubscribe or make changes to your subscription click here:
https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
