pgp/mime vs in-line pgp

Adrian 'Dagurashibanipal' von Bidder avbidder at fortytwo.ch
Wed Apr 14 09:45:12 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

People, why do you all insist on cc:ing me? Plese do not.

On Wednesday 14 April 2004 08.37, Per Tunedal Casual wrote:

> I have noticed many non-valid inlined signatures but I have never ran
> into any problems with inlined encrypted (and signed) mail. Why?
> What's the difference? Does the encryption somehow protect the
> original mail (so the signature always will verify)? Can this
> knowledge be used to somehow improve the inlined signatures?
> Per Tunedal

simple: encrypted mail is encoded in base64, all changes in whitespace 
are irrelevant (and there are very few MTA/MUA/MDA problems that really 
corrupt non-whitespace ascii characters in email. And those usually 
don't survive long...)

with signed mail, whitespace becomes significant. There are some MTA and 
many MDA and MUA-related issues regarding whitespace. Also, not all 
gpg/pgp versions behave the same regarding whitespace at end of line.

Additionally: encoding issues. Encrypted mail again is protected by the 
base64 encoding and by having the signature inside the encrypted part. 
So gpg will always be able to look at the signed data directly, because 
no other code in the mailer can interpret the base64 encoded data.

Signed mail is open to be modified by the MUA because it is just text, 
and contains the 8bit-characters directly (raw or in qp form). So many 
MUA/MDA and even some MTAs play with the encoding...

PGP/MIME can go around the encoding issues: it is properly standardized 
how a PGP/MIME message must be generated, so all implementations should 
know how to verify it (not all get it right - evo had some nasty bugs 
there.) The whitespace issues are *in principle* also possible to work 
around for inline PGP: strip whitespace at end of line, and you're 
mostly safe.

greetings
- -- vbi


- -- 
Today is Prickle-Prickle, the 31st day of Discord in the YOLD 3170
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: get my key from http://fortytwo.ch/gpg/92082481

iKcEARECAGcFAkB87A1gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJECqqZti935l65N8An3Px8mWaQvzo/hWcEh5wlueu
n5EJAKCfI0xVekBgzwfP+xInBljBN/02Bg==
=/cHQ
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list