signed headers for OpenPGP [was: Re: What is the benefit of signing an encrypted email]

[Daniel Kahn Gillmor]

On 01/19/2011 01:29 PM, Werner Koch wrote:
> I'd like to see a feature in MUAs to wrap the entire mail as presented
> in the composer into a message/rfc822 container and send the actual
> message out with the same headers as in the rfc822 container.  This
> allows to sign the entire mail including the headers.  On the receiving
> site the MUA should figure out that the signed headers match the actual
> ones and visually indicate the message including the header as signed.
> This is fully MIME compliant and should not break any MIME aware mailer
> (except for those only claiming to support MIME).

That's a pretty elegant way to solve this problem, actually.  You don't
even need the signed headers to match all the other headers (e.g. the
Received: headers won't be known at sign/send time, not to mention the
other dubious mangling that goes on at the MTA level that Ingo mentioned).

I suspect that many spam engines might balk at an e-mail with a
top-level Content-Type: message/rfc822 though.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110119/db140a7e/attachment.pgp>