Mutt/GnuPG doc initial release

Douglas Elznic dfe@anize.org
Tue Sep 25 01:27:01 2001 

--=-Zw5lj/FKiaBAZ342TIwv
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable


Hello,
 I tried to post a bug about this to evolution's bugzilla but one of the
developers was not  that nice. See below. Please visit the bug page and
let the developers know what you think...

http://bugzilla.ximian.com/show_bug.cgi?id=3D10803

------bug discussion on bgzilla.ximian.com-------
Hello,
 Thanks for the hard work. Here is my little quibble:

accordding to rfc 2440 (openpgp rfc) email signatures should be clear
text. There should be an option within evolution to send signatures as
cleartext as described. It makes it easier to detach messages and save
them and a lot of mailing lists strip mime...=20
Furthermore the rfc states that it should be a clear text signature no
mime...

7. Cleartext signature framework

   It is desirable to sign a textual octet stream without ASCII armoring
   the stream itself, so the signed text is still readable without
   special software. In order to bind a signature to such a cleartext,
   this framework is used.  (Note that RFC 2015 defines another way to
   clear sign messages for environments that support MIME.)

   The cleartext signed message consists of:

     - The cleartext header '-----BEGIN PGP SIGNED MESSAGE-----' on a
       single line,

     - One or more "Hash" Armor Headers,

     - Exactly one empty line not included into the message digest,

     - The dash-escaped cleartext that is included into the message
       digest,

     - The ASCII armored signature(s) including the '-----BEGIN PGP
       SIGNATURE-----' Armor Header and Armor Tail Lines.

   If the "Hash" armor header is given, the specified message digest
   algorithm is used for the signature. If there are no such headers,
   MD5 is used, an implementation MAY omit them for V2.x compatibility.
   If more than one message digest is used in the signature, the "Hash"
   armor header contains a comma-delimited list of used message digests.

   Current message digest names are described below with the algorithm
   IDs.

------- Additional Comments From Jeff Stedfast 2001-09-24 19:03 -------

uh, okay mr smarty pants...try READING what you pasted 1 more time...
especially note this line:
(Note that RFC 2015 defines another way to
               clear sign messages for environments that support
MIME.)
and guess what, email is based on MIME.

------- Additional Comments From Doug Elznic 2001-09-24 19:19 -------

The RFC for openpgp is 2440, 2015 is for mime pgp. Note that it says
rfc 2015 defines another way, meaning not the way that the standard
says to do so. I was well aware of the 2015 reference. It only
bolseters my case that it says "another way".
How would you send gpg signed mail to mailing lists that strip mime
attachments? And how do you export the message and the signature to a
plain text file for archinving or printing. I recognize that email
uses mime but the unix way of doing things is flat text files. It
seems that the option should exist. Why would it be a bad idea to do
both? Thank you your comments are appreciated...=20









On Mon, 2001-09-24 at 18:59, Len Sassaman wrote:

> The issue isn't PGP signing messages to mailing lists, it's the MIME

> attachments.

>=20

> Some of the mailing lists I am on strip MIME attachments altogether.

> Others have web based archives. Others have digest versions.

>=20

> Conventional PGP signatures still verify on all of these lists. PGP/MIME

> does not.

>=20

>=20

> --Len.

>=20

> On Mon, 24 Sep 2001, Janusz A. Urbanowicz wrote:

>=20

> > Alexander Skwar wrote/napisa=B3[a]/schrieb:

> > [Charset iso-8859-1 unsupported, filtering to ASCII...]

> > > So sprach _Janusz A. Urbanowicz_ am 2001-09-24 um 13:44:47 +0200 :

> > > > Len Sassaman wrote/napisa?[a]/schrieb:

> > > > > Frankly, it's poor netiquette to post PGP/MIME messages to mailin=

g lists,

> > > > > for one,

> > > >

> > > > Why?

> > >

> > > Because normally it's not that terribly important to see from which

> > > person a mail orginated.  You know, I don't know you, so even if your

> > > mail would have been signed, it wouldn't mean more to me.  Also Werne=

r's

> > > mails to this list wouldn't mean more to me if they were signed, beca=

use

> > > he's also just a stranger.

> >

> > I don't think so.

> >

> > > So, it doesn't add anything which means that it's unneeded and thus p=

oor

> > > netiquette.

> >

> > And I think you are wrong or haven't done proper threat analysis. Case =

1:

> > someone impresonating Werner posts a message about a bug in GnuPG and a

> > patch to fix it. This patch actually plants a backdoor. In your approac=

h,

> > you have no way to tell nor it makes any difference to you.

> > Case 2 (real life example): a friend of mine is an active usenetter, sh=

e

> > also posts a lot to mailing lists. One day a sexually suggestive (at th=

e

> > verge of explicit) forged messaged attributed to her started to appear.=

 PGP

> > signing was the simplest way to make a good distinction of which messag=

es

> > come from her and which are forgeries.

> >

> > In saying about 'strangers' you forgot one thing: while on everyday use=

 of

> > PGP there is little need to use it to establish RL identity, it is a ve=

ry

> > good and a convenietnt way of establishing origin. I don't care much if

> > Werner's name is actually Werner, but I do care if new GPG releases com=

e

> > from its author.

> >

> > A good example is remailer-operator list. Anon remailer operators need =

not

> > to know each other's identities (I'm one of the few who reveal their na=

mes)

> > but need to know if given remailer configuration changes come from the

> > remailer's operator (because of MITM).

> >

> > Alex

> > --

> > C _-=3D-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling |       =

  |   *

> >  ; (_O : +-------------------------------------------------------------=

+ --+~|

> >  ! &~) ? | P=B3yn=B1=E6 chc=EA na Wsch=F3d, za Suez, gdzie jest dobrem =

ka=BFde z=B3o | l_|/

> > A ~-=3D-~ O| Gdzie przykaza=F1 brak dziesi=EAciu, a pi=E6 mo=BFna a=BF =

po dno;     |   |

> >

>=20

> --

>=20

> Len Sassaman

>=20

> Security Architect            |  "I must play their game, of

> Technology Consultant         |   not seeing I see the game."

>                               |

> http://sion.quickie.net       |                --R .D. Laing

>=20

>=20

>=20

>=20

>=20

>=20

>=20

>=20

>=20

>=20

> _______________________________________________

> Gnupg-users mailing list

> Gnupg-users@gnupg.org

> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--=20
+------------------+---------------------------------------------------+

|  Douglas Elznic  |        GPG Key: <dfe@anize.org> 0x13300731        |

+------------------+---------------------------------------------------+

|  Thinker-@-Large | Pub key can be obtained from http://pgp.dtype.org |

|   dfe@anize.org  | Fingerprint:                                      |

| dfelznic@syr.edu | EF9C 7E3C 0327 EAAF 1E20 5299 0805 7531 1330 0731 |

| http://anize.org | All emails should be signed by the above key.     |

+----------------------------------------------------------------------+

| They that can give up essential liberty to obtain a little temporary |

| safety deserve neither liberty nor safety... Benjamin Franklin 1759  |

+----------------------------------------------------------------------+

--=-Zw5lj/FKiaBAZ342TIwv
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEABECAAYFAjuvwjEACgkQCAV1MRMwBzFLWwCfZEhUvFdQKRsZxZoZvlDvoF4X
iGEAoKk54XxpnjJdIkzyfmz2wqonTM8/
=5jMS
-----END PGP SIGNATURE-----

--=-Zw5lj/FKiaBAZ342TIwv--