EFail mitigations for S/MIME
Werner Koch
wk at gnupg.org
Wed May 16 16:39:58 CEST 2018
On Wed, 16 May 2018 14:09, aheinecke at intevation.de said:
> No extension. Basically what I want to do is that for S/MIME HTML Mail / Mails
> with attachments GpgOL will only put the plaintext into Outlook if it also has
> a valid signature. Regardless of the trust in the signature.
You need to have the key for the signature and all kind of online
checking of the key - remember it is X.509 and thus subject to malicious
certifciates. We all know from OpenPGP that getting the key for signed
message is not easy if people don't upload to a keyserver. For S?MIME
it is worse. Without a key you can't check the signature.
There are legitimate reasons not to sign a mail and to let the recipient
decide, based on the content, whether it has been received from the
expected sender. For example in a VS-NfD setting signatures are
simply out of scope and thus not used.
Shalom-Salam,
Werner
--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180516/8da392fc/attachment.sig>
More information about the Gnupg-devel
mailing list