Re: mutt feeds more to gnupg than it needs, causes invisible/lost
also sprach Derek Martin inva...@pizzashack.org [2009.11.30.0811 +0100]: Yes, I mean with any MIME. PGP predates MIME by about a year, as far as I can tell. So-called traditional PGP was intended to be used entirely within the message body, because at the time it was created there was *only* a message body. :) So as soon as you start adding MIME parts, you've sort of broken that model... Note that my original message was not about MIME; adding text before and after the /^-/ PGP-traditional sentinels does not create MIME parts. Historically, any mailer I'd seen that had any PGP support built in would basically do the same thing you would do manually: punt the message to PGP, and hand you the results in its viewer or an editor. There never was any text outside the PGP portions -- including text outside the PGP block would have broken replies for pretty much everyone -- so this problem was a non-issue. Besides, mixing encrpyted and unencrypted data in an e-mail is probably a bad idea... it presents more opportunities for accidental leakage of secret data. Of course, but we do have two perfectly normal cases now: 1. full quote of a signed message by a top-poster instead of doing the right thing. 2. broken mailing list software attaching footers to non-MIME parts instead of converting the message to MIME. Yes, both cases would not occur in a perfect world, but since there's a relatively easy fix, mutt can help for the time being. If you're going to use MIME (and you *should*), you should follow the standard for using PGP with MIME. If you're going to include in-line PGP inside MIME messages, you should probably expect that your mailer might get confused, cuz it's the Wrong Thing (TM) (some mailers don't handle in-line PGP at all, IIRC Evolution is an example, or was for a while at least). I should amend that by saying if you're going to include in-line PGP anywhere in a message, DON'T. ;-) It might be nice if Mutt could handle this better, but it's not a bug, and basically amounts to incorrect user expectation. I think we all use PGP-MIME because we agree with you. Unfortunately, we failed to make E-mail a tool for clued people only. Just like we have to put up with design faults in SMTP forever (it'll take decades until a deprecated feature can be removed), we need to be able to deal with the PGP-traditional hack, in combination with the newer technology. If you take all that into consideration, I think it's the right call to leave it alone, and pressure your peers to stop doing things that are broken / obsolete. The problem comes when they aren't your peers (but e.g. your boss), or when you deal with Outlook+PGP people, because as far as I know, there is no way to do PGP-MIME with Outlook. -- martin | http://madduck.net/ | http://two.sentenc.es/ perl -e 'print The earth is a disk!\n if ( earth == flat );' spamtraps: madduck.bo...@madduck.net digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: mutt feeds more to gnupg than it needs, causes invisible/lost
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Monday, November 30 at 09:58 AM, quoth martin f krafft: The problem comes when they aren't your peers (but e.g. your boss), or when you deal with Outlook+PGP people, because as far as I know, there is no way to do PGP-MIME with Outlook. ...Or if you deal with (Al)Pine+PGP people, because (Al)Pine cannot deal with PGP-MIME or any MIME format where one MIME component must be interpreted differently based on the contents of another MIME component. As for Outlook... I guess you haven't seen GPG4Win? http://www.gpg4win.org/index.html It supports PGP/MIME, S/MIME, and a few others. ~Kyle - -- Those who agree with us may not be right, but we admire their astuteness. -- Cullen Hightower -BEGIN PGP SIGNATURE- Comment: Thank you for using encryption! iQIcBAEBCAAGBQJLE+cJAAoJECuveozR/AWeOBgP/3P3Zu5vJ1WgPrylpoZZ7Dll jyFSoPTAl9WRYwWFh5K8ZvjjuUlaQxEyxveqjHNsiiwmm795DqAQjcjLMwUtZt5c p/5ZGuH+wrvyLLkPTWZ7VV4T0Zf/mKC4yikgx2qPRLP6NG7cUq4hBkDdyhEzXNGp NBQ6faFmxBT5miO0VoBAgq7Ytkv8r2RgOXJW8CSxKPaca/JFq6OZJgtDIbhlNda9 jikQg79/kc4ySJu7xOenL6lzLSYXccwFmfREi4yRZVBn5T1LD4O+pd+ZnMnvwLFW Cp5+cHOInpff/GSxQ1GO9q7+01QLL5zVDyP4KArIgLcSr1eb+eTcXLkZWg+nlefJ /UCAEMAWON/tm/R5T4ioKwn5Z9urd9oO9p5cp+p+nJEGWVmaAjRGCF8ViVp/uIsu XZ5sYqENQis93rauTpoiGAHHS7y+16KtD9aFKUCgX7gUL5LsqpMmx9HDg1bXyoqS AEat950MsJQ0sd9g1QQEnMEtbG2gpThYm0hzEg6XrexRH2LcfDLD4ObnNUbQw7RF RCDUCBcIQGIazyGkhIE/uKRioQmMU6dqUEjvIKlqQAxOiEN0P3kM0NeZhpi+g2iT +EKIOTlaavdJJOUXSLA77L5uU/SLIoJATrRbYyTCsR0zcoYCcqS6SGwwkNVhZ9mY 6hPCJhxB0sOxqQxvP6wN =W5VY -END PGP SIGNATURE-
Re: mutt feeds more to gnupg than it needs, causes invisible/lost
On Sun, Nov 29, 2009 at 09:59:32AM +0100, martin f krafft wrote: also sprach David J. Weller-Fahy dave-lists-mutt-us...@weller-fahy.com [2009.11.28.2236 +0100]: I then entered ':exec check-traditional-pgp' in mutt, and viewed the message. The text preceding the digitally signed portion of the message was still visible. If I do the same with mutt from Debian sid (1.5.20 (2009-06-14)), then I definitely do not see the unsigned portions. My Mutt is Mutt 1.5.20hg (2009-06-23), only slightly newer than yours, but it clearly does have code to handle the case of pgp-mixed text bodies (in pgp_application_pgp_handler() in pgp.c). So it would seem the discussion is moot. You can either upgrade, or work around by unsetting pgp_auto_decode and not executing pgp-check-traditional on the message until you actually need to (e.g. reply to the message first if it contains only clear-signed data, then postpone your reply, then verify the signature if required -- or I believe you can undo Mutt's temporary changes caused by check-traditional-pgp to the message simply by reopening it). Either way, you'll get what you expect. If you can't upgrade for some reason, and your correspondees send mixed PGP plain-text *encrypted* messages (i.e. part of the body is an encrypted PGP block, and part is not), then your only recourse is probably to educate your correspondees that what they're doing breaks replies for you, and likely anyone not using their particular mail client. I bet if you ask politely, you can get them to stop doing it. -- Derek D. Martinhttp://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience. pgpB64ECY11Yy.pgp Description: PGP signature
PGP/MIME for Outlook (was: mutt feeds more to gnupg than it needs, causes invisible/lost)
also sprach Kyle Wheeler kyle-m...@memoryhole.net [2009.11.30.1638 +0100]: ...Or if you deal with (Al)Pine+PGP people, because (Al)Pine cannot deal with PGP-MIME or any MIME format where one MIME component must be interpreted differently based on the contents of another MIME component. As for Outlook... I guess you haven't seen GPG4Win? http://www.gpg4win.org/index.html It supports PGP/MIME, S/MIME, and a few others. This is going off-topic, but I'd appreciate a response. GpgOL might be able to decipher PGP/MIME, which would be a grand step, but last I checked, it couldn't create PGP/MIME, only inline. I don't have systems to check, but if that has changed, I would call up the service people of a client ASAP and tell them to have another go at implementing it. Cheers, -- martin | http://madduck.net/ | http://two.sentenc.es/ seminars, n.: from semi and arse, hence, any half-assed discussion. spamtraps: madduck.bo...@madduck.net digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: mutt feeds more to gnupg than it needs, causes invisible/lost
also sprach Derek Martin inva...@pizzashack.org [2009.11.30.1921 +0100]: My Mutt is Mutt 1.5.20hg (2009-06-23), only slightly newer than yours, but it clearly does have code to handle the case of pgp-mixed text bodies (in pgp_application_pgp_handler() in pgp.c). So it would seem the discussion is moot. Indeed. This is good news: http://dev.mutt.org/trac/changeset/5908%3A7f37d0a57d83/pgp.c Thanks for your patience in putting up with me. I did appreciate the discussion and hope not to have annoyed anyone. Thanks especially to Brendan for the easy fix! -- martin | http://madduck.net/ | http://two.sentenc.es/ i doubt larry wall ever uses strict. -- frederick heckel spamtraps: madduck.bo...@madduck.net digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)