Encouraging email security.
Thu May 22 09:13:59 2003
Content-Description: signed data
On Wednesday 21 May 2003 16:13, Juan F. Codagnone wrote:
> On Tuesday 20 May 2003 12:10, Mark H. Wood wrote:
> > I usually don't have any secrets to hide, but I don't want to be
> > misrepresented, and I'd sign everything I send if I wasn't
> > embarrassed to have you all find out that I haven't yet collected a
> > single nonself signature on my key -- oops! :-/
> Another problem i see with email signing, is that the signature only
> validates the body, and someone can take ambiguous signed messages
> and give them another sense (out of the original context). If the
> people start signing _all_ theirs mails, and sends bodies like `The
> deal is off', `I love you', `Meet me at the bar at 15.00' then a 3rd
> party can fake the email headers and forward it. The new recipient
> will think that the message is valid. IIRC,  talked about that.
This was brought up before. There are several things that can be done:
1.) The date of the email and the date of the signature are compared. If=20
the signature is significantly older than the email then the mail=20
client should issue a warning.
2.) The mail client could automatically add a copy of the From:, To: and=20
Subject: header to the signed message body.
3.) The PGP/MIME standard could be extended to allow putting the From:,=20
To: and Subject: header into a second body part similar to the=20
application/pgp-encrypted message part which contains the version code.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----