pgp/mime vs in-line pgp
Adrian 'Dagurashibanipal' von Bidder
avbidder at fortytwo.ch
Wed Apr 14 09:45:12 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
People, why do you all insist on cc:ing me? Plese do not.
On Wednesday 14 April 2004 08.37, Per Tunedal Casual wrote:
> I have noticed many non-valid inlined signatures but I have never ran
> into any problems with inlined encrypted (and signed) mail. Why?
> What's the difference? Does the encryption somehow protect the
> original mail (so the signature always will verify)? Can this
> knowledge be used to somehow improve the inlined signatures?
> Per Tunedal
simple: encrypted mail is encoded in base64, all changes in whitespace
are irrelevant (and there are very few MTA/MUA/MDA problems that really
corrupt non-whitespace ascii characters in email. And those usually
don't survive long...)
with signed mail, whitespace becomes significant. There are some MTA and
many MDA and MUA-related issues regarding whitespace. Also, not all
gpg/pgp versions behave the same regarding whitespace at end of line.
Additionally: encoding issues. Encrypted mail again is protected by the
base64 encoding and by having the signature inside the encrypted part.
So gpg will always be able to look at the signed data directly, because
no other code in the mailer can interpret the base64 encoded data.
Signed mail is open to be modified by the MUA because it is just text,
and contains the 8bit-characters directly (raw or in qp form). So many
MUA/MDA and even some MTAs play with the encoding...
PGP/MIME can go around the encoding issues: it is properly standardized
how a PGP/MIME message must be generated, so all implementations should
know how to verify it (not all get it right - evo had some nasty bugs
there.) The whitespace issues are *in principle* also possible to work
around for inline PGP: strip whitespace at end of line, and you're
mostly safe.
greetings
- -- vbi
- --
Today is Prickle-Prickle, the 31st day of Discord in the YOLD 3170
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: get my key from http://fortytwo.ch/gpg/92082481
iKcEARECAGcFAkB87A1gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJECqqZti935l65N8An3Px8mWaQvzo/hWcEh5wlueu
n5EJAKCfI0xVekBgzwfP+xInBljBN/02Bg==
=/cHQ
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list