Evolution signatures

Ben Finney ben@benfinney.id.au
Wed Aug 6 10:32:01 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 06-Aug-2003, Adrian 'Dagurashibanipal' von Bidder wrote:
> What I want is not protect all mail headers, but those that may be
> relevant for the interpretation of a mail - namely From, To, Subject,
> perhaps Date - because when I receive a mail, it might have a
> completely different meaning depending on the Subject, or depending on
> the From: address.
> Currently, I should best just delete those headers before looking at a
> signed email - if I'm a serious paranoid, I should only look at the
> information that is signed and suspect everything else to be fake. Of
> course I don't do that...

I don't see that any of these headers are a good target for signing.

  - If the From: header changes, you can check it against the UIDs for
    the signing key.  Signing the From: header doesn't gain anything.

  - If the To: header changes enough to be significant, how did it get
    delivered to you anyway?

  - If the Date: header changes, you can check it against the timestamp
    of the signature.

  - If the Subject: header changes, it should affect the context of the
    message at all.  If it does, your correspondents are misusing the
    Subject: header.  It's supposed to be a summary indication of the
    contents, not an integral part of them.

 \      "I don't know half of you half as well as I should like, and I |
  `\      like less than half of you half as well as you deserve."  -- |
_o__)                                                    Bilbo Baggins |
Ben Finney <ben@benfinney.id.au>

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.2 (GNU/Linux)