Memory Hole discussion / OpenPGP e-mail header protection

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jul 7 01:29:28 CEST 2015 

Hi Alexander--

On Mon 2015-07-06 10:35:52 -0400, Alexander Strobel wrote:
> Does "headers to remove" mean that they are stripped from the email
> completely? Even as I can understand the intention to do something lkike
> this, I think this might be something which some MUAs arent able to
> realize. I would not prefer such an explizit blacklisting.

i think the headers to remove will ultimately be up to the preferences
(and capabilities) of the MUAs in question, but having a set of
guidelines about what headers people generally prefer to drop entirely
would be useful.

there are RFC 822 constraints about headers which must be present that
MUAs wouldn't want to get rid of, of course.

> Using colors to communicate ok/error states is common, but bad usabilty
> in my opinion. As colors might be displayed wrong (if you don't use
> something like web safe colors), there are some people outside which are
> color blind or live in a culture where the meaning of a color is
> different from our understanding.
> Because of this I would prefer icons and/or a textual representation.

regardless of the use of color, we need a consistent textual
representation, for when people trigger help text or other "tell me
more about..." UI.

I generally agree with Alexander that color is a bad thing to rely on,
though.

> To implement this for PGP/MIME was our understanding too. We are able to
> read PGP/MIME without problems. Creating RFC conform PGP/MIME in
> contrast _is_ a problem for us, as Outlook/Exchange inserts an empty
> MIME part and destroys the content-type of the email and the first empty
> MIME part.

I've seen this problem listed before in several places.  Is this
documented someplace?  is Microsoft aware of this as a bug?  is there a
way that Microsoft customers can agitate for it to be fixed?

PGP/MIME is pretty important as a mechanism for making semantically
unambiguous e-mail message signatures (and encrypted e-mails, for that
matter).

> Defining a standard for protected-headers in INLINE messages might help
> other webbased "clients" like Mailvelope

I think mailvelope has switched to PGP/MIME.

  --dkg

More information about the Gnupg-devel mailing list