Protecting Mail headers (was: Re: Evolution signatures)
Carl L. Gilbert
Wed Aug 6 13:26:02 2003
On Wed, 2003-08-06 at 02:28, Adrian 'Dagurashibanipal' von Bidder wrote:
> On Tuesday 05 August 2003 21:18, Neil Williams wrote:
> [Protecting email headers]
> > But again, what do I GAIN from you doing that extra work?
> You probably can see what I mean in the answer I wrote to Carl's mail. If=
> Quite a few people are used to essential bits of information being contai=
> in the Subject of a message. Or, to take the famous and stupid example:
> From: firstname.lastname@example.org
> ----- BEGIN PGP SIGNED MESSAGE -----
> I lkove you
> ----- END....
> I hope it's clear what you can lose because the From: header is not signe=
> Yes, the example is stupid, but I think things like these *do* happen.
> Attached is my proposal - comments, of course, are welcome. One extension=
> thinking of: in case of encrypted mail, let the "protected" headers=20
> automatically override the original headers of the mail when it is displa=
> and strip the real mail headers down to the minimum (empty Subject, envel=
> sender/recipient in To/From, no CC, no References. But this would break t=
> (for me) important property of the proposal: if your MUA at the receiving=
> doesn't support header protection, everything works as expected. So this=20
> extension would be optional in any case.
> -- vbi
again, the headers belong to the mailing 'system' not the sender of the
email per se. So they can be modified at the discretion of the system.
To guarantee whom and email is from, its going to require more that a
signature on a piece of text. you need some kind of authentication at
both ends, and a secure channel, which mail does NOT have.
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes
GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD 19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard http://www.gnupg.org (Encryption and Digital
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
-----END PGP SIGNATURE-----