OpenPGP vs inline PGP

David Ellement
Fri Jul 11 05:55:02 2003

On 2003-07-10, Robin Lynn Frank wrote
> On Thursday 10 July 2003 16:15, David Ellement wrote:
> > Just curious: what do you do about inline signatures?  They aren't
> > guaranteed to verify, which seems like it doesn't fit with the need for
> > something that "either works or it doesn't".
> Have no problem at all verifying them.  Kmail's built-in facility for 
> verifying inline pgp sigs has worked flawlessly.  I've even tested it with 
> messages I've deliberately tampered with.

Actually, I was referring to the fact that MTAs can (and do) alter
messages an break the signatures.  It shows up all the time on mailing
lists: someone sends an inline signed message, and some fraction of the
list can't verify it while others on the list can.  Since neither the
sender nor the recipients have control of the path the message follows,
there's no guarantee a "good" message and signature will arrive.

David Ellement