Signing headers (was Re: Evolution signatures)

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Thu Aug 7 18:42:02 2003


--Boundary-03=_SHoM/uZ5/qVFGyO
Content-Type: multipart/mixed;
  boundary="Boundary-01=_PHoM/dvJNsvYXqZ"
Content-Transfer-Encoding: 7bit
Content-Description: signed data
Content-Disposition: inline

--Boundary-01=_PHoM/dvJNsvYXqZ
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: body text
Content-Disposition: inline

Yo!

While we're bitching about mailers and so on... your mail has no References=
:=20
and not In-Reply-To: header...

On Thursday 07 August 2003 14:17, Stewart V. Wright wrote:

> This might seem like a valid point that the MUA creates the Subject,
> To, CC etc headers and that they are separate from the MTA/MDA but
> this is unfortunately not an enforced standard.
>
> The Uni I work at recently installed a (pretty awful) plugin for Exim
> that among other things does (pretty awful) spam blocking.  This
> (pretty awful) program (exiscan + spamassassin) modifies messages that
> it thinks are spam by putting a '{SPAM?}' at the start of the subject
> line, as well as adding various X-Spam headers.
>
> This is (apparently) a "Good Thing(TM)" for people that use MUAs that
> automatically open attachments, view HTML, and all those evils that
> make spammers life worthwhile.
>
> However, I like my email unadulterated (what else is it changing?
> Will it affect my SpamCop submissions?), and this change is entirely
> outside my control.  Whilst we all would like to think that headers,
> like message bodies are inviolate, they aren't.  :-(

So all the more reason to put those headers under version control^W^W^Winto=
=20
the signed message part.  The MUA at the receiving end has the choice of
 - displaying the original headers and just ignored the unsigned and=20
tampered-with counterparts
 - complaining loudly about the fact that the msg has been tampered with
 - displaying some unobtrusive hint that the headers differ in the signed v=
s.=20
the unsigned variants (reddish background or something like that).
 - not supporting header protection at all - everything works as it does now

I guess there's not many cases where complaining loudly (and I mean really=
=20
loudly: a dialog box with a dire warning that must be clicked away) is an=20
option: prepending [mailing-list-name] in front of the subject, or appendin=
g=20
a ticket number, is very common and IMHO legitimate (of course, the MUA cou=
ld=20
always try to parse these things and make an educated guess whether the res=
t=20
of the Subject, at least, was transmitted ok... No, I won't write the=20
code...). Also, I personally find replacing the Date header is not that bad=
 a=20
thing - too many people have set their computers' clocks to some very stran=
ge=20
time zones (interplanetary or what...)

So I guess displaying some warning besides the header would be the best=20
strategy. Like, perhaps, in the attached picture (it's only 5k, so I hope=20
everybody will forgive me).

greetings
=2D- vbi

=2D-=20
Debian is the Jedi operating system: "Always two there are, a master and
an apprentice".
        -- Simon Richter on debian-devel

--Boundary-01=_PHoM/dvJNsvYXqZ
Content-Type: image/png;
  name="kmail-header-protection.png"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="kmail-header-protection.png"

iVBORw0KGgoAAAANSUhEUgAAAdgAAAEeBAMAAADbRhkDAAAAMFBMVEUCAgKAbz1SUlKWhmF0hJX+
4pb+/u0CAsbOzjKaimT+/kLWyKv93XL+/v7+AgLu6u0hCVm6AAAAAWJLR0QAiAUdSAAAAAlwSFlz
AAALEgAACxIB0t1+/AAAAAd0SU1FB9MIBxAqMKBN6K0AABSJSURBVHic7Z07kvM4koDTgqGQou6w
7sbcYpy9BS1eQSa9iY0+hWyZ646jA5ShC1TPXqD/rpjYCHqtJfKFxIMPSVSpimL+VSURxCM/JF4J
UPrhw8gOf8/d37/963/+FsIvnfzz7x+RnHf49+MnCdiLHf+msP/3907+6yvVeoxEsAC7Iuy/vGkv
X6rXQwR20eUZgVPYpQjEl+din12KvC7s7pVgz11/Pb9OnxVZYX+8rLAr7AJkhV1hFyAr7Aq7AFlh
Fwu7KwYvFLYcvML+eFlhV9gFyAqLsF+rx5dIP+y//2NxsjbjF4Sls7slST/sf/5zcfK6AxQA4O9L
TD3RYwbP0ObB8rqw/hEDfczgSQo9UrJnKj7kMPop6jxWsscMVtiFSP8zFRjy34uS/mcqMOS345Jk
xJ/97dn6zSozw0LP5WET/sZhiRQD55Ix2MPmquKHYDc3wALIywEoPfCV/8XbdOVvA2y6dz7aAd9m
+c8Mm+YeY1wNy6X7l44M1Qe8QuwukN57WB/BR/HQCAtpzU+A5TqiWpNKpQrvSpR7mFVXANDLYSMx
kfhAsVAj0Z3U5Jg+SrjXxU4oERKwvhhPzAwYSWPiG3+HG8H1sFpcKJxV2cg9sQnVOxAL1y0cDmzW
AwQEjHKUmIdDuHe0JQTYzQRYsrwoez3sgVuQLw6Lj2GPdO/IeYOtjxw2QdgIl4fVPBPYLuQQ+uzh
wK1sI7B0D3MBbm1cE5tjIpNgpf1iOdIzCDY0ahotQv+CUVgowVKD74KlUUueB7QsADcwa9mjVO5G
omQDxBWWPWI9HVgxabheIyyO6xBIMdPuuRtueiwLAuutJ/coVYDlhst9dnMcgiVtgF4y1gCLKydc
Gu9y2IPJkkaVjYUNvRaODOGjcAMvwIJp6SkslScTc9QnCFZH46MOc1pziMh6kIGLsH5NfPZXuxj2
SKMjtlY/qlN9gli2MzMPugfg6uRy0cgG9gjSE7U+TEwLK1MqdY3QL8WyTGHnWZ0VpsGiWc/0LPng
Cqowf1m5b2IO2cyQRyYZ7G4MtrAyiXMcrIvJes2RSZZp2KnAPnv+GIP9wQLWsNhto63U356t36wC
1rD0abPMslmT4kWqDAWFm8dCuhtbZjkZ8JR8Vd5gDVuApcVBKrLyJNh4MOHYhxHYzbhumwEOHvlv
hMXmW7BsyXg6pPNMkqphtOmTCUO2zD69qve875dR5/2A07j6OToLioODzo2sDA/sUR4pUNPlHhFA
WBBYn1VWJBQFw7PS4aDFBu92NthN4oVwM+aVK/2wNwfWsibdMfGIeD11SLP2a9EQBTPKSgctNqzF
54ONvJDjdNiQLlEswMLR1keyhuSMMtjN8bGw4qAfaEckhfVLwiKsOvZWMYBg2aO6UNj2y7ChdF7l
G9jypsR9luXotPSfDruRcjZH4xEdLCxFYSemx7Km9GMCuxldwd4Au2GVLCyYztMHqyzGI2JKNjBG
QTepHzaUfshgxdedC1aGTGx2B5lneaQIs7uZ5w+wCelSj2hDwy0PAWY0PhhXiG+gL2NK38Sw4l7N
AjtRJhQ1m0d0s8wEOxFiHo/oZol3KuDjNc56cKcCvdnz8mHl8+53wYLxiFCmNG8zSGkux/7LO2QU
1qvBGm9yLZMgEN1NlChFSYUw13KUe72lXgk7FbDjTbfYxQsTXmalflgbpV/vYrT7vaV+GbMstTGw
joru2nVTuZyVmU1W9YhIt4M9ugmHa2EDUs+BNMp13tKcsMDtTFd4wXqdmrIslTObTbSURFizko9d
BlH6YPeUj9d6SzfB9o3GYscAq0V0y51NrLtdSlKU6OimACt1eYyjTPeWboLtnWeB13ShHCnjcIBR
WGqjfJphYOm4CrPmASqKMt1bugm2dwUVeyhYisAex2E39ugmgd2wY1eCFY5Rb2lO2LQAMCgHZSH9
IIbdHMXflqMbA8tRDGwUZbq3NCesjKzBUaGnFgRWBldvgXAvHY1Nq5ZeIP5KCnu1tzQn7MRsRu4X
VxOTo8zlLX0R7AQjDEWZyVtaH/p6UdhnP1o5r4zA/qNekkRHlrKKWjysf55C1seLh5Uzy9gR+Edd
wYJkFPZ9ORJ2KjwjpC7ewmBfyrIvC1sajRcLW5pny7Cg705bExxdwHsiWUCPnCBkk6WJihhSrHSz
sHxKYU8QZeGvboHN1ASwIaYUjnkqKR/nchq+nRY4BXZrs4ivBopK9SxY2gaZtPx2QkvIowwlmgrr
mxbp4P+icWELFN69sJVOW8BGCICG8i9bEAtigzjJPYYNzeS0tQV1d06+BCwIS3hH4+Pt7oUKwigY
lxTxv/fDomJSIurpFfMlecWQGmFRC7zil9MWxGRe79OJ7nEARohhuSBgu4eC2GpSERQTuMq4vDks
C1vb5MgYsWICy4HvARaodhQW720lI9MnvKF6Yal0n86WF2C5BuaAxaYYcsGs+2Gx/W65HUqjD7A+
kNv1CduhwPqY2oSKsKaJYz0G2Pd3KnYmWJPmRLAQwUKw7Ls2Yx5rtM+ettRwydhg7DoJ1qfz907S
USysmuFeWBwPdICibgZxkzPNmPql1+hdDJ7AvssA5aOEPiuZEVABlu6dthHsCWTsez/NAxtGY20s
Eey7wmIP35IypBuYEQjv6fAcjcYSe8tAPFbgaMy1I0pwMz5RR6fycWyOJ79B2DN+wB9S2KJMn3xD
WaMxpgkM5DR9BbXjlfGktXG+rPoqscvJq6Tw/whMhP2BksHG31OxMNjoeypAPiiwUNjUsivsQmTk
eyqWupX6Ufqeig722d9FNqOMr6CereGMssKusAuQFbYAC/BWSN1emrtKb6OXKRk20Qsn2jdZWFEm
w/Yo23RF7XtLEorGRmhDeATbXq6FbaJQudKqa/dJyitgP9+gMzDa+PMtwDYJywTYpi1FmwRr6RLY
tNC2icKba2E/3/yfT4WVgjrrdrXY/aLVsFk1l30XsFetEtjW64JtoovTXvZNiKwqt5IhJvcZYs4+
uGn3XGjL+eOtveTjf1tUoovS+PJ85OwbNbOzHoaFy2f3w7DFSvaZs9X8233UXI0t2066P00jLbrp
rveXS5tm22CGVDkNZUjBrdefK1BgKdz+NBesve4Fy0otSw5ecbmIli3Ctk2km8DuL5dB2IbvYyrR
MzKsIDQEu78Yor22lgT2EsaEhvoEJy/CZo7AGCyNA80F2w+B7Pdc/gCs6KXmi2GbkHH3rxNtQaFh
S6FhgNoL/p5rHttzGRZKjxmUYD/jeagJ9exBuLsY2EvTRNGbUVi68I3bx+mHjSxLzQxD2kaamYVN
v1FzEBZH4yFYMsQ1sL5FF2ADW8sNQwKwRffBhnx8mn2bwH5Mg+0XLbcV1OaSNmOjUgrbtbgibBvl
bGHbfZ9l4wGKrNzOCkuLipamHgLZU91fuBMNw2ozvkRTj+acwYZmrKsGhr3Q7MVTD85G3TDSEGy7
TweowjMVY7B3SpNYdFTaUGvXSrZT0TPPPkza1J6jst+PxynL6vWssAuQFfbFYT/LOxU/TKZa9nMm
1vbmeWMGuQL202xR3CrJ7sEXyxWwnQ+QwuqmAbnYjSzxZHWKWwm4adCa3YP+VGh4jNzevnSYCuu/
TfNcXC4ybCKyaUBqk0Nl/JlG1sFty6t93D3oT0XR26a5fhV5Paz/Ns3ddFjdNIjfWFjrgFx0K2Mw
FUd+NOxZHyG5ArYRbfUNbllQM77QThcqLrsHPakC7OVLYHf8b2qfHVPbbzW0fHWxuwfPgt1Zw37s
km/UHBmNZdOgvcjugWyMtbzl1hhY3j0YTtWK7/vgAcp/m2byjZojKyjZNGgb2Xpq92LF1g5QCtL0
p2ovxq+XfB4G+xH+x57Jy0Umwo1u8kxZSR9ipp7LJewe9KTCGtmbZjC73AUbbxo0Wcjtqe7YjhiQ
+ywbzfxNFnJHqkesKVavZ4VdgqywCexfz1ZyLpkC++tPXD15+ezNqP/O95EpsH/8iY8YYPQo8We3
3NL3ac5vNvQz3tnxR2RP2OaZAPvXH7/wrLKzrlc4WiIHjVNYiiJ1AVFsv9B+RlOYAnv+nQ5mycmL
nB//6m30iY8hvKEF+Y6/JefW/Kqpng4rn5/Ndip+nX//08NeAqyK5/RqIya9/Qy3Lm+f/AYDP/X3
zQd+fTvOvqci36n44/zxJzVjgoUY9o2YmOTtYoxO5lNYefP2dFj5zHu2U/HXHx8fv6JmbMTC+soo
wXoRo/Kd7wKb7VT81QX+LqgI+xn1WYWlHmuQzGgdwXahb8+BTb6nIt+p+NW9/P6/fvABb71sNB6A
jaYeC/cdBqjuT75T8cvLnz3JwwAF+GuQFPbNvF5kWP4WsB/X7VSEqcdb/QKTYZ+8qDjLA193PVPx
rVeN+Tx7H2z5Ud1vIquLt8IuQFbY14V92qcEHyBjsEuSFXaFXYCssCvsAiT59MfCYV/KsivsCvvz
ZYVdYRcgK+wKuwBZYa+GddMLrG7RciYZhQWw0cuqArjuj5Or7k0FxYjVN4eNtSuqWtWuqiu5h29c
2dg/Adb5H28+ALafQzzWvPIRYlhp2RQHKANMXoUm8OUyGbaK7AKVczGsEz5+4+QWG90B59DRfiFf
JNfA1gHWVdhSHWfiMlg1s+OqAE5euee15PGdCm3Gru6D9fdcDMt3qk7oEgOq53bb6X3W2ySGrVRr
MR++9z9y50fCelCrZw6bjsZyp3Y/CbbTEmoZjiJYbasB1pVgQ0gV8br6i8HHYHF10P2hqUeXDhGs
WVRIFJmiyKSgccF9Z9ihtEFR92AtZ5J7YJ82X94qq9ezwi5AVtgVdgHywrD6ZOoLwOonQF4BNjxg
vcL+eIl3Kl6pzy7esivsq8C+Tp9VWWF/vKywt8PSHpybHtVIMVXVn5fsU9Nu5pTcboCFgWO42WEH
sqpsnDg3NxvsOMtohEjXoVSTtpVdFtHdCKu55LvEFe+N45Fr5VsStibAKzwIcBwP6CyezhW4YVS1
tL88lTYeLJTiuNrhaZNNVenOvD2w6MqDLjKEsij5tOOPmFHf0MFGRUeuTk4qKz3zqJwL9YyF+RA5
9cJUlRzmRqnCOQtzUAjeCKcpldRGCksl+qrRsugQ+YrHDKI+Itc+WzxyFXOFk2sdW1QZV9UBRFIR
bJQqbkROTodBqUP5BtYcoToT2ahKsPjf4e3Cf4sX9dmCRRNYVFJOmzHEN6RQS2BhgUdODAF6eMEl
qcAWRXGcyVlhsYOUYTVyLRkyrN+h8N9P4V/PcL1l6T3U1rLRmAGRZTV5pc00TSWtwmlxlYmjsC6y
bGU11Mh1SK6Wxe+nKFnWmRwGYbkflWCl+U2GtS9a3D2wps+e6ds0S7ADo7EOUKIJE/DIEBeN/6o6
GTRo8KlcnKqKYMMAJXxVqFjbjCNzuDotCxSWvp+i2GdTCfOCTj3YZ7kZdyEyiUg16dSDCuvU439w
EvFDXJQKkk5b19K3zYIJ+ywORBlsxbNDNPVUoLD4gctJsF8qdrno+iJJ3LHMwmg82bJPEzdyH8Yy
+Emwd8sLwg6toBYkD/Fnh0Mw9FFPaxayDSvGR8JmS4tBnW4uZiBjmqw0ySOb8cBU4Ppv3Zezyy+v
gM1XULqWwPWQkxVUBeqZyi8uBOrg83Jyo5M2Z3V1K1lCVLSEkFxjBmcWHuJHYAoXP8MeykE9yv9v
9tDaWFeJ/hFiffDYOXbOKl2+SzNWn5eTm4e0tQ7V1XVhsR0tDlPYyphMnwUVNTJYWpmNw6amNet/
Z1xUMI5AHcNi5GiZarTnXDUfZ0syq24r5rHQ2B+pZfWYwHLNjMOmpu2BdRFsGBmCH1SCraSJOnF1
K273eIuqMdvhQ9ToAxgK6+6DnWjZCLbKLVuGVXfBBe8PF/nqAlWpWWseDcKyOXF1J8B2Gby/n/h1
qM8WYWFGWM7BUTwowDo7zErk6yx7ej91V9vEsvlorAOUwrrKWLYSFzUeoELvtAo5HbbE1dWawVsV
yACVICS155+I1uSRrrYcA7tFy6awuQQ3lmHxKeJQirqotXRc8Xk5uVGCHFKBTaYe2egBm0Jg46kH
HdhKP6ogsMb1ji17eudmvB2B/UIpzDpT05Ukg6U/3wS2sJ6YIn0HRLA1rfj7wc4rrwVrWzENUC8E
exofoHq6f/8t670OJB6Q21KlMmG52F+yK97KFXPm9jS1o5wnpxqR6hbYskpWt7543x02X0H56cC7
jXRsRBvgfs1eOXVje5YQ4fOz+kGn4Ajwhc+HPQLIUoFkygUnB74+cbSAEeUkn1HLiqaRfchtdDzt
4wIST2MrKdQuDoPb4sPpWLaSdSRn62RpS/noT5xKItfsMscHvrS6tkvTeHE6oRnnpq3EbXRmmUoT
ufRZF/zBKq4mPZaN1+0g+lM+ziSKUtlqd8mBr8Bq6XX0toMd34MyCbVwJdVGq6vyMdha1AZXB6M7
We5Wchn2VySVRiafF1xy4Os/voqNVgl52TwdtmhZZ37qAqycHg7Bsh+qFemq4PJhOOSpRLhNu+gM
lD6rW0WlO5vPLc9UpLDoQN0Aa/UvwcbeaOzFuxwWDVqCDX12DDY3bARLCkJqWeNIugJsYYCiMAPr
MthogKIDXXvgy7Bm+K9kE6MPdsJTqQqru6dRMzYfl02mnlo/P5tNPfwRXN5vqCsz9ZhUIJkCRXb2
wJe4we65YYYmnxT2hueNbUMNQddJmsFd0ld6oRlf/3B17nVmAWPirk0wJH2lzwL7U6TwPRWv9CT5
Sx1G76bAusHLQnQapq/uyvNKPvV8jMK6ZOE6Gfb6QXpeyWAh+S9sCuKuhq2/KexHYtlsBRWe5tVD
WA6m+/xUsEz98hgxfbsHRnRfyBfJjc8b8zGoC3XgdC3Hy9bg/bHn5vT9w6l65MbnjUHcTwvLOQqj
C2mcrm/55zlyiz/rjPtpWre5S+t29DodhQVSeN6YfKNlnThZxkwQ7rL5sJu6OrXs0+TWPluAjfyv
MEprP/0BsAV/1hmPsjBA1cUBSmvGPQ/5lueg5GnecAhb13bH0iVTD/n30dTzHNj/B2gS5n4L/SSo
AAAAAElFTkSuQmCC

--Boundary-01=_PHoM/dvJNsvYXqZ--

--Boundary-03=_SHoM/uZ5/qVFGyO
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iKcEABECAGcFAj8ygdJgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJEIukMYvlp/fWGp0AoPFZlTKrP55Od0Wj+CVtvhTA
aprtAKDyqrM53/8lKx1EDIQl07chkhTAbQ==
=JvrP
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.5&md5sum=5dff868d11843276071b25eb7006da3e

--Boundary-03=_SHoM/uZ5/qVFGyO--