Re: Content-Type in DSAs
On Tuesday, 2004-01-06 at 18:00:13 +0100, Adrian 'Dagurashibanipal' von Bidder wrote: Clinging to sanity, Alexander Neumann mumbled in his beard: * Lupe Christoph [EMAIL PROTECTED] wrote: Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign - PGP/MIME No. PGP/MIME is multipart/signed on the top level, whatever the mime type of the message is in the first MIME part, and application/pgp-signature in the second MIME part. application/pgp is a never standardized text/plain variant of an inline signed message, with the main problem that some Mailers do not render it correctly (since they assume that unknown application/... is binary, not text). Martin Schulze does not use application/pgp anymore. I found it only in older DSAs sent by him. I now understand why the text/plain format is used. For something as important as DSAs, I would use that myself. Thanks for your explanations, people! Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Content-Type in DSAs
Hi! When I recently read about problems with verifying the PGP signature of DSAs, I realized that for most DSAs mutt does not automatically check the signature. Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. I'm wondering if there is a *technical* reason for not using application/pgp in DSAs. If there isn't, I would like to ask the security group to use that in order to make MUAs like mutt verify their signatures automatically. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. Thank you for your patience, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Content-Type in DSAs
* Lupe Christoph [Tue, 06 Jan 2004 11:25:27 +0100]: When I recently read about problems with verifying the PGP signature of DSAs, I realized that for most DSAs mutt does not automatically check the signature. Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign I think this format is obsolete. A correct PGP/MIME message would read something similar to (correct me if I'm wrong): Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=tKW2IUtsqtDRztdT Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. I know about the procmail hack too, and it miserably fails when the message is a multipart one. Of course the long term solution is to get everybody to use the new not-obsolete PGP/MIME format, but in the meanwhile I would recommend to mutt users to try this little mutt hook: message-hook '!(~g|~G) ~b^-BEGIN\ PGP\ (SIGNED\ )?MESSAGE' exec check-traditional-pgp Personally, I found it quite useful, as I've now completely forgotten about headaches brought by inline-signed mail. (The hook, oviously, simuates presssing ESC P *each* time the message is viewed.) HTH. -- Adeodato Simó (a.k.a. thibaut) EM: asp16 [ykwim] alu.ua.es | IM: my_dato [jabber.org] | PK: DA6AE621 If there is a sin against life, it consists perhaps not so much in despairing of life as in hoping for another life and in eluding the implacable grandeur of this life. -- Albert Camus signature.asc Description: Digital signature
Re: Content-Type in DSAs
Hi Lupe, * Lupe Christoph [EMAIL PROTECTED] wrote: Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign - PGP/MIME Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii - old, deprecated format Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. right. mutt doesn't change the mail but just verifies the message. I'm wondering if there is a *technical* reason for not using application/pgp in DSAs. If there isn't, I would like to ask the security group to use that in order to make MUAs like mutt verify their signatures automatically. There is a reason: Broken MUAs which still do not support PGP/MIME. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. This is a workaround, not a solution. The solution would be either to fix broken MUAs or to not use such broken MUAs. - Alexander signature.asc Description: Digital signature
Content-Type in DSAs
Hi! When I recently read about problems with verifying the PGP signature of DSAs, I realized that for most DSAs mutt does not automatically check the signature. Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. I'm wondering if there is a *technical* reason for not using application/pgp in DSAs. If there isn't, I would like to ask the security group to use that in order to make MUAs like mutt verify their signatures automatically. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. Thank you for your patience, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: Content-Type in DSAs
* Lupe Christoph [Tue, 06 Jan 2004 11:25:27 +0100]: When I recently read about problems with verifying the PGP signature of DSAs, I realized that for most DSAs mutt does not automatically check the signature. Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign I think this format is obsolete. A correct PGP/MIME message would read something similar to (correct me if I'm wrong): Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=tKW2IUtsqtDRztdT Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. I know about the procmail hack too, and it miserably fails when the message is a multipart one. Of course the long term solution is to get everybody to use the new not-obsolete PGP/MIME format, but in the meanwhile I would recommend to mutt users to try this little mutt hook: message-hook '!(~g|~G) ~b^-BEGIN\ PGP\ (SIGNED\ )?MESSAGE' exec check-traditional-pgp Personally, I found it quite useful, as I've now completely forgotten about headaches brought by inline-signed mail. (The hook, oviously, simuates presssing ESC P *each* time the message is viewed.) HTH. -- Adeodato Simó (a.k.a. thibaut) EM: asp16 [ykwim] alu.ua.es | IM: my_dato [jabber.org] | PK: DA6AE621 If there is a sin against life, it consists perhaps not so much in despairing of life as in hoping for another life and in eluding the implacable grandeur of this life. -- Albert Camus signature.asc Description: Digital signature
Re: Content-Type in DSAs
Hi Lupe, * Lupe Christoph [EMAIL PROTECTED] wrote: Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign - PGP/MIME Newer ones from him and all others have this: Content-Type: text/plain; charset=us-ascii - old, deprecated format Mutt *can* varify these, but only when told with (default) ESC P. And this does not change the message, mutt will loose the info when it leaves the mailbox. right. mutt doesn't change the mail but just verifies the message. I'm wondering if there is a *technical* reason for not using application/pgp in DSAs. If there isn't, I would like to ask the security group to use that in order to make MUAs like mutt verify their signatures automatically. There is a reason: Broken MUAs which still do not support PGP/MIME. Yes, I know about the procmail hack. And I will set it up now. But for the sake of people like me before I started to investigate this, I still wanted to ask this question. This is a workaround, not a solution. The solution would be either to fix broken MUAs or to not use such broken MUAs. - Alexander signature.asc Description: Digital signature
Re: Content-Type in DSAs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Clinging to sanity, Alexander Neumann mumbled in his beard: Hi Lupe, * Lupe Christoph [EMAIL PROTECTED] wrote: Comparing the DSAs and reading how mutt recognizes a PGP signed message, I found that only some DSAs from Martin Schulze have a Content-Type as mutt wants it: Content-Type: application/pgp; format=text; x-action=sign - PGP/MIME No. PGP/MIME is multipart/signed on the top level, whatever the mime type of the message is in the first MIME part, and application/pgp-signature in the second MIME part. application/pgp is a never standardized text/plain variant of an inline signed message, with the main problem that some Mailers do not render it correctly (since they assume that unknown application/... is binary, not text). cheers - -- vbi - -- Protect your privacy - encrypt your email: http://fortytwo.ch/gpg/intro -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: get my key from http://fortytwo.ch/gpg/92082481 iKcEARECAGcFAj/66Z1gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw NzFiMjVlYjcwMDZkYTNlAAoJEIukMYvlp/fW+fIAmwfWDDM5RrsGtL24ODdRR3F4 pcMjAJ4iMmHa57/EfFh6bzjHSmnWB1k8jw== =FjWH -END PGP SIGNATURE-