Memory Hole discussion / OpenPGP e-mail header protection

Alexander Strobel Alexander.Strobel at giepa.de
Wed Jul 22 09:34:21 CEST 2015


> I know that this is harder to do in Outlook.  But well, security aware
> people won't use OL at all.

Well, this depends on the threat model. ;)

>> Because of this I would prefer icons and/or a textual representation.
>
> That is fine in addition to a different rendering. Inline-icons and
> strings are easy to fake, though.

Right, this way I didn't see it until now. But I like the idea of
Mailvelope with displaying an user defined icon.

>> To implement this for PGP/MIME was our understanding too.
>> We are able to read PGP/MIME without problems. Creating RFC conform
>> PGP/MIME in contrast _is_ a problem for us, as Outlook/Exchange
>> inserts an empty MIME part and destroys the content-type of the
>> email and the first empty
>
> Are you using MAPISecureMessage::GetBaseMessage ? According to a telco
> I once did with the Outlook dev team this and the AfterWrite event
> allows to do perform any kind of message mangling without Outlook
> kicking in.  We have not tested this due to the lack of funds, though.

No, as this is in non managed code and we try not to mix up these as far
as possible. But it is an interesting starting point and we will
evaluate if this might work for us.



Regards
 Alex Strobel
 www.gpg4o.com

Am 20.07.2015 um 12:55 schrieb Werner Koch:
> On Mon,  6 Jul 2015 16:35, Alexander.Strobel at giepa.de said:
> 
>> in my opinion. As colors might be displayed wrong (if you don't use
>> something like web safe colors), there are some people outside which are
>> color blind or live in a culture where the meaning of a color is
> 
> Tyre, but for the majority of users a colored frame is a good and easy
> to grasp hint.  We do this in Kmail for about a decade and all tests
> showed that it worked as expected.
> 
> I know that this is harder to do in Outlook.  But well, security aware
> people won't use OL at all.
> 
>> Because of this I would prefer icons and/or a textual representation.
> 
> That is fine in addition to a different rendering.  Inline-icons and
> strings are easy to fake, though.
> 
>> To implement this for PGP/MIME was our understanding too. We are able to
>> read PGP/MIME without problems. Creating RFC conform PGP/MIME in
>> contrast _is_ a problem for us, as Outlook/Exchange inserts an empty
>> MIME part and destroys the content-type of the email and the first empty
> 
> Are you using MAPISecureMessage::GetBaseMessage ?  According to a telco
> I once did with the Outlook dev team this and the AfterWrite event
> allows to do perform any kind of message mangling without Outlook
> kicking in.  We have not tested this due to the lack of funds, though.
> 
> 
> 
> Shalom-Salam,
> 
>    Werner
> 
> 




More information about the Gnupg-devel mailing list