Evolution signatures
Adrian von Bidder
avbidder@fortytwo.ch
Wed Aug 6 12:16:02 2003
--Boundary-02=_NXNM/4eGm8aVLmm
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline
On Wednesday 06 August 2003 10:33, Ben Finney wrote:
> I don't see that any of these headers are a good target for signing.
>
> - If the From: header changes, you can check it against the UIDs for
> the signing key. Signing the From: header doesn't gain anything.
Hmm. Ok, so probably MUA implementors should warn if From: header does not=
=20
match a uid, or should not display from: at all but just the uid(s) of the=
=20
signing key.
>
> - If the To: header changes enough to be significant, how did it get
> delivered to you anyway?
To: header has nothing to do with envelope recipient. But I agree that=20
protecting the To: header is probably not meaningful at all.
> - If the Date: header changes, you can check it against the timestamp
> of the signature.
Same as with From: - this is a problem with the MUAs. Also, the sender can =
set=20
his clock to anything he wants anyway, so I agree this is not very=20
meaningful.
> - If the Subject: header changes, it should affect the context of the
> message at all. If it does, your correspondents are misusing the
> Subject: header. It's supposed to be a summary indication of the
> contents, not an integral part of them.
There's a huge difference on how it should be and how it is.... There are m=
any=20
people using the Subject to convey essential information. (People often don=
't=20
see why they should type (part of) their message twice - so they either lea=
ve=20
the subject empty or don't repeat in the body what is already in the=20
Subject.)
Yes, it's bad. But I doubt any attempt to educate users will be successful.
cheers
=2D- vbi
=2D-=20
OpenPGP encrypted mail welcome - my key: http://fortytwo.ch/gpg/92082481
--Boundary-02=_NXNM/4eGm8aVLmm
Content-Type: application/pgp-signature
Content-Description: signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iKcEABECAGcFAj8w1c1gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJECqqZti935l6vzoAn1ynvW3ROwKmFlmzcqWV9UHz
u4AGAJ9q760aH97Efrj4YJEsTSb7uOmMTQ==
=WNOX
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.5&md5sum=5dff868d11843276071b25eb7006da3e
--Boundary-02=_NXNM/4eGm8aVLmm--