Re: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375)
[Please don't cross-post!] On Tue, 5 Feb 2019 12:47, gnupg-users@gnupg.org said: > THE DATE PROBLEM. Only the body of the email is signed, not the > envelope headers, namely the subject and intended recipients, and Sure, mail headers are subject to changes. For example by mailing list software or simpluy by forwarding mail. Tehre is a reason that OpenPGP signatures carry a creation date. > THE STRIPPING PROBLEM. Currently, each attachment is signed separately > and independently by the PGP-MIME standard. It would be preferable to Nope. Please actually read RFC3156 and check compliant implementation - All I known get it right. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375)
On 2/5/2019 at 4:50 PM, "justina colmena via Gnupg-users" wrote:>THE DATE PROBLEM. Only the body of the email is signed, not the envelope headers, namely the subject and intended >recipients, and probably most importantly, the date. It would be nice to have an option to automatically include some of >these headers in the body of the signed message when composing a signed email message. >THE STRIPPING PROBLEM. Currently, each attachment is signed separately and independently by the PGP-MIME >standard. It would be preferable to digitally sign SHA hashes of the main message and all attachments in a single >additional attachment. This would leave an indication of any attachments that may have been "stripped" from the email >message, but without breaking the signatures of remaining attachments in such cases. = In this case, there is a simple workaround : [1] Put the subject, the intended recipients, and the date, in the introductory line(s) in the plaintext. [2] enarmor all the attachments, [ using the GnuPG --enarmor command (-a command in PGP) ], and paste the enarmored text into the body of the message, at the end of the message, right after a line saying; here are the following attachments :[3] Sign and encrypt the entire message composed of parts [1] and [2] and send it off this has the following 3 advantages: (a) no one knows what kind of attachments are being sent, or how many. (b) all the important data is in the Plaintext, where it belongs, and not vulnerable to MIMT attacks (c) backward compatibility in maintained, and no new standards have to be designed vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375)
On February 4, 2019 8:07:33 AM AKST, Citizen Kepler wrote: >I would like to say that I need to have a signature on all of the >emails that I send to authenticate me as the sender, but not encrypt >them. Often these messages are going back into bug tracking systems or >mailing lists, and manually signing each email is a bad solution. I >will need to allow a opt-in sign by default option. [[[Date: Tuesday, February 5, 2019, 12:45 PM AKST]]] PGP signatures do have a couple of rather severe and vicious limitations. THE DATE PROBLEM. Only the body of the email is signed, not the envelope headers, namely the subject and intended recipients, and probably most importantly, the date. It would be nice to have an option to automatically include some of these headers in the body of the signed message when composing a signed email message. THE STRIPPING PROBLEM. Currently, each attachment is signed separately and independently by the PGP-MIME standard. It would be preferable to digitally sign SHA hashes of the main message and all attachments in a single additional attachment. This would leave an indication of any attachments that may have been "stripped" from the email message, but without breaking the signatures of remaining attachments in such cases. Bust that 55+ EFF nightclub and do it right, folks, unless it's the youth wing spouting the exact same old fogies' party line. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no serĂ¡ infringido. https://www.colmena.biz/~justina/contacto.php signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
