Evolution signatures

Adrian von Bidder avbidder@fortytwo.ch
Wed Aug 6 12:16:02 2003


--Boundary-02=_NXNM/4eGm8aVLmm
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Wednesday 06 August 2003 10:33, Ben Finney wrote:

> I don't see that any of these headers are a good target for signing.
>
>   - If the From: header changes, you can check it against the UIDs for
>     the signing key.  Signing the From: header doesn't gain anything.

Hmm. Ok, so probably MUA implementors should warn if From: header does not=
=20
match a uid, or should not display from: at all but just the uid(s) of the=
=20
signing key.

>
>   - If the To: header changes enough to be significant, how did it get
>     delivered to you anyway?

To: header has nothing to do with envelope recipient. But I agree that=20
protecting the To: header is probably not meaningful at all.

>   - If the Date: header changes, you can check it against the timestamp
>     of the signature.

Same as with From: - this is a problem with the MUAs. Also, the sender can =
set=20
his clock to anything he wants anyway, so I agree this is not very=20
meaningful.

>   - If the Subject: header changes, it should affect the context of the
>     message at all.  If it does, your correspondents are misusing the
>     Subject: header.  It's supposed to be a summary indication of the
>     contents, not an integral part of them.

There's a huge difference on how it should be and how it is.... There are m=
any=20
people using the Subject to convey essential information. (People often don=
't=20
see why they should type (part of) their message twice - so they either lea=
ve=20
the subject empty or don't repeat in the body what is already in the=20
Subject.)

Yes, it's bad. But I doubt any attempt to educate users will be successful.

cheers
=2D- vbi

=2D-=20
OpenPGP encrypted mail welcome - my key: http://fortytwo.ch/gpg/92082481

--Boundary-02=_NXNM/4eGm8aVLmm
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iKcEABECAGcFAj8w1c1gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJECqqZti935l6vzoAn1ynvW3ROwKmFlmzcqWV9UHz
u4AGAJ9q760aH97Efrj4YJEsTSb7uOmMTQ==
=WNOX
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.5&md5sum=5dff868d11843276071b25eb7006da3e

--Boundary-02=_NXNM/4eGm8aVLmm--