EFail mitigations for S/MIME

Werner Koch wk at gnupg.org
Wed May 16 16:39:58 CEST 2018

On Wed, 16 May 2018 14:09, aheinecke at intevation.de said:

> No extension. Basically what I want to do is that for S/MIME HTML Mail / Mails 
> with attachments GpgOL will only put the plaintext into Outlook if it also has 
> a valid signature. Regardless of the trust in the signature.

You need to have the key for the signature and all kind of online
checking of the key - remember it is X.509 and thus subject to malicious
certifciates.  We all know from OpenPGP that getting the key for signed
message is not easy if people don't upload to a keyserver.  For S?MIME
it is worse.  Without a key you can't check the signature.

There are legitimate reasons not to sign a mail and to let the recipient
decide, based on the content, whether it has been received from the
expected sender.   For example in a VS-NfD setting signatures are
simply out of scope and thus not used.



#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180516/8da392fc/attachment.sig>

More information about the Gnupg-devel mailing list