Signing headers (was Re: Evolution signatures)
Carl L. Gilbert
lamont_gilbert@rigidsoftware.com
Wed Aug 6 21:22:02 2003
--=-qXJ6VAMRnRxN1adRz1uh
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Wed, 2003-08-06 at 14:26, Kyle Hasselbacher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> On Wed, Aug 06, 2003 at 06:33:26PM +0100, Neil Williams wrote:
> >On Wednesday 06 Aug 2003 11:17 am, Adrian von Bidder wrote:
>=20
> >> There's a huge difference on how it should be and how it is.... There =
are
> >> many people using the Subject to convey essential information. [...]
>=20
> >Not true. Why make this part of GnuPG when the 'problem' is clearly user=
=20
> >related? I don't have any experience of what you described as 'often' - =
blank=20
> >subject lines are just plain rude (make scanning an inbox for important =
mail=20
> >from new correspondents more difficult) and users who do this should sim=
ply=20
> >be told to mend their ways.
> >
> >If someone doesn't repeat the 'vital' information contained in the subje=
ct=20
> >line within the signed message, disregard it and then ask them why.
>=20
> Just to throw another wrench in this, I've frequently wanted ENCRYPTED
> subjects. When I'm sending a private mail, I find myself using a
> "practically blank" subject like "Note" or "Hi" because I don't want the
> subject available to third parties any more than I want them to read the
> contents of the message.
>=20
> I consider some headers (especially the subject) to be part of the
> communication of a message. As such, I'd like to protect the privacy and
> integrity of those parts the same way as the message itself, as much as
> that's possible.
>=20
> The alternate extreme is that we throw away all the (unsigned) headers an=
d
> try to understand the message as best we can from what's in it--who signe=
d
> it, what it says, what the date stamp on the signature was, etc. I disli=
ke
> that option.
This is not an extreme. If you want a secure mail 'system' this is
necessary. You just need an MUA that knows YOUR subject is not where
most subjects are but inside the encrypted portion of your mail. SO
when the reader knows this it can substitute the real subject once its
decoded.
Just as the subject is in the email, so should the DATE,FROM and TO be
their if you are worried. It will not work in the headers because they
are used differently. It can work in the headers only if you modify the
email system. Perhaps that can be mixed in with some of the anti-spam
proposals.
> - --=20
> Kyle Hasselbacher | Life in the state of nature is solitary, poor, nasty,
> kyle@toehold.com | brutish, and short. - Thomas Hobbes, Leviathan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>=20
> iD8DBQE/MUhd10sofiqUxIQRAiQsAKDU3/+5HJNFG0sD+OF5jNJvkouVlACfTfMT
> q05q2BB4f9a3cZe3TXSDlBw=3D
> =3DXD8S
> -----END PGP SIGNATURE-----
>=20
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
--=20
Thank you,
CL Gilbert
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes
9:16
GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD 19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard http://www.gnupg.org (Encryption and Digital
Signatures)
--=-qXJ6VAMRnRxN1adRz1uh
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQA/MVXEVbJM14DSCi0RAlWbAKCMPgPioZgww1Xj4Y8Fn3S271eh2QCePwnz
u/DuZfD1QvmytmqWj4c5aqo=
=EvTy
-----END PGP SIGNATURE-----
--=-qXJ6VAMRnRxN1adRz1uh--