On Fri, 2002-02-22 at 03:56, Derek D. Martin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > For all of the above reasons, I argue both that PGP signatures do add > value to a message, and that there is absolutely no comparison between > a PGP signature and any of the aforementioned methods of message > formatting.
I would like to add another reason. I have yet to hear of a security vulnerability cased by, exploited using, or found in, a PGP/GPG signature. MSTNEF had an issure where you could munge the header information (much like RTF), and exec arbitrary code on the receiving machine. Winmail.dat used to carry a users password in it. HTML can have embeded scripting it in that, if the mailer isn't careful, can do a whole host of nasty things. A PGP or GPG signature is a small block of plain text that does nothing of it's own volition. It is merely used to authenticate a person's e-mail. All of the formatting ethods mentioned actively *DO* something if the ender is malicious. > If you happen to use some other mailer at an alternate location, the > mailers which can be made to understand cleartext PGP signatures, and > thereby reduce or eliminate "clutter" include (but are not limited > to): > > mutt > pine > exmh > kmail > Microsoft Outlook I would also add Outlook Express. There is a patch for it called gpgoe. It is also possible to use GPG in the Windoze world. There is even a pretty decent front end to it called WinPT (http://www.winpt.org). C-Ya, Kenny
msg13217/pgp00000.pgp
Description: PGP signature
