Re: Signing (and Encrypting) Mails with gpg like DKIM

Wed, 04 Sep 2024 05:43:08 -0700 

On 2024-09-02 09:00, Werner Koch via Gnupg-users wrote:

On Sat, 31 Aug 2024 18:29, T. S. said:


either because of the -----BEGIN PGP SIGNED MESSAGE----- strings, or because
the unknown attachments in MIME message.

Don't use those legacy inline PGP encryption.  Use PGP/MIME, a 28 year
old standard (RFC-2015).  You should give that unnamed attachment a
name, for example

   Content-Type: application/pgp-signature;
            name="openpgp-digital-signature.asc"

which clearly shows what kind of attachment this is.


When now looking to DKIM, this looks much more advanced. There is a Header in
the mail, containing the signature all details to the signature and

<the_usual_rant> You may want to go back to the year ~2000 when DKIM was
first presented at the IETF in Paris.  It was then a quick hack from the
sendmail authors and it took only a few hours until an attack on this
was found.  DKIM also broke with the long standing rule of being able to
work in a pipeline (iirc, this is called an online algo these days).
Instead of doing all that DKIM stuff it would have been easier to
directly use S/MIME or PGP/MIME and include copies of important headers
in a signed attachment.  But well, attachments are ugly for some people.
</>

Using S/MIME for server to server protection would involve heavy mangling
of mail bodies, unlike the header-only placement of DKIM signatures.  It
is true that DKIM generation and validation needs the entire mail in some
kind of storage, such as the mail spool of a resend-capable MTA, which is
a key reliability requirement for non-spam mail servers anyway.

As a mail admin I see a lot of buggy 3rd party mail servers built by rather
large companies, but the traditional line mangling so common before MIME
seems a thing of the past, while Base64 encoding mail bodies has become
the realm of buggy software and/or spam (I happen to use such a buggy big
name SMTP library for mailing webshop receipts etc.)

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


_______________________________________________
Gnupg-users mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to