On Thu, 2002-06-27 at 03:15, Steve Murphy wrote: > I'll throw in my .02 here. > > As far as dropping pgp support in evolution, in favor of gpg, I think > that it's a perfectly reasonable thing to do, seeing as pgp is not > supported any more, is broken, and it won't change the level of > <evolution/other mailer> interoperability one bit. GPG libraries are > 100% available for linking against, on all platforms evolution can be > compiled and run on. Even on windows, if you are using PGP, you can > still build GPG and not affect your PGP installation at all. > > Ralph Sanford's issue of how interoperable evolution is with outlook and > other mailers is orthogonal to the direct support of a pgp interface in > evolution. > > Here's my view on the state of PGP encryption interoperability between > the several email GUI providers: > > 1. it completely, totally, unanimously sucks. It's easier to find the > mode whereby it works at all between vendors, and keep that in mind as > you use it. > > Here's some of my observations: > > 1. evolution evaluates encryption in the wrong place in the dataflow, > and therefore has a difficult time verifying signatures. The dataflow > reformats the letter, like modifying the line widths, etc, and would > probably have been better to check the original message at the front of > the dataflow instead. Fejj, I think, has been working on this, and I > think he knows all about the limitations, and apparently, it will take a > lot of work to re-do this, if it ever gets done.
multipart/signed has been fixed in 1.1.x version. It treats the content entirely as opaque data as per rfc. The 'openpgp' inline-pgp stuff wont, and probably never will, be reliable or supported. > 2. Evolution PGP signatures louse up outlook. It's most likely OK to > PGP- sign your letters, if you don't have any attachments. But if you > do, it's useless to sign the letter if the recipient is an outlook user, > because they most likely will not be able to recover your attachment > properly. And, outlook PGP users will most likely not be able to verify > the signature with attachments in the mix anyway. Only check it against the 1.1.x tree. The 1.0.x tree has many known issues and *usually* creates broken signatures. > If you want to send encrypted attachments using evolution, with an > outlook recipient, encrypt the files first, then send the encrypted file > as an attachment from evolution to outlook. And don't sign the letter if > it has attachments. > > 3. PGP for outlook has some interesting limitations, probably most > likely because the interface available to them with MS Outlook. At > least, that's the impression I got from wrangling over these issues with > PGP support. I'd have to assume that the PGP team were fairly > intelligent people, and tried to do what they could. I pointed out a > weakness in the way they were doing things: If you sign just the letter, > and require each attachment to be encrypted and/or signed separately, > how can you really tell if some third party removed an attachment? They > never answered this one. At any rate, the multilevel mime encapsulation > that evolution does is way over PGP's head as far as capability. Maybe they're working with the older rfc. Some things changed, some in a non-compatible way. The whole thing is a bit of a mess. > With each email vendor doing encryption their own way, and probably all > them following the RFC's concerned, but restricting themselves to > supporting just certain segments of the RFC's, interoperability is > non-existent. Always the problem with 'may' features. Apparently s/mime is much worse. > Fejj has found some loopholes and problems with the encryption specs. > Yet PGP as a standard set is virtually dead. The mailing lists are > silent. Maybe a new standard is in order; maybe a reduction in the > number of options available in the current one is in order, I can't say. > All I know is, if the world wants to use encryption generally, it ain't > gonna get what it wants. > > The best thing I can think of some mail-preprocessor to handle the > decryption/signature verification for evolution. Because what you see > when a letter ends up being displayed in evolution may not be exactly > what you got originally, it's too late to successfully decrypt most > messages, except what's been sent by another evolution user. Well as i said multipart/signed should be reliable now, and is the only reasonable solution anyway. > Enough rambling. I'd love to see encryption more widely used. Right now, > I feel like the only thing you can send via email is the equivalent of a > post card. To heck with privacy. > > murf > > _______________________________________________ evolution maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution
