PGP/MIME considered harmful for mobile

Doug Barton dougb at dougbarton.us
Sun Feb 27 23:59:15 CET 2011


On 02/27/2011 00:25, Martin Gollowitzer wrote:
> * Doug Barton<dougb at dougbarton.us>  [110227 05:30]:
>> If you look at the characteristics of the actual messages encrypted mail
>> is very similar whether it's in-line or MIME. It's signed messages that
>> make things interesting because the signature in a MIME message is
>> actually (sort of) an attachment but also sort of not, which is why it
>> confuses simple mail readers like Outlook Express.
>
> Encrypted messages differ from signed messages.

Yes, of course. Not sure how that's relevant. :)

> The percentage of
> inline-signed messages I receive with bad signatures is much higher than
> the number of PGP/MIME messages with broken signatures.

If you're using Mutt exclusively, that's likely the problem. My 
experience is different because I use Thunderbird primarily, and I see a 
failure rate (very) slightly higher for MIME-signed messages but that's 
usually because enigmail hasn't done the appropriate EOL munging. I have 
a set of scripts for PGP on Alpine that render most of those correctly, 
so the actual failure rate for the signatures themselves is pretty much 
equal.

> Despite that, there are MUAs which do not automatically parse every
> message completely to see if there's inline PGP content in them, but if
> the see that a message uses PGP/MIME they immediately try to
> decrypt/verify the message.

Once again, while what you're saying may be true, it's not really 
relevant to the fact that there are a non-trivial number of MUAs in the 
installed base that simply choke on PGP/MIME.

The simple fact is that both types of signatures have valid use cases, 
and there is really no point in trying to convince people not to use one 
method or the other. It's equally silly to use disparaging language 
about either method.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/




More information about the Gnupg-users mailing list