PGP/MIME use (was Re: META)

Robert J. Hansen rjh at
Tue Jan 31 00:40:08 CET 2012

On 1/30/12 6:09 PM, John Clizbe wrote:
> I always get a chuckle every time I read someone writing that inline signing is
> somehow "deprecated." Strangely enough, the only place I can find the
> origination of such an idea is in the PGP/MIME RFC 3156 itself which strikes me
> as somewhat self-serving. Deprecation is not mentioned in the OpenPGP standard
> RFC 4880.

Well, in defense of that interpretation, RFC4880 just specifies a packet
format and ASCII armoring -- it's deliberately silent on everything from
RFCx822 integration to concerns about using it as the basis for disk
encryption products.

I would favor seeing an "OpenPGP best practices" RFC.  4880 tells us
what's legal OpenPGP traffic, but says nothing about what's worthwhile.

> I use PGP/MIME when I know a mailing list supports it and inline when I know it
> doesn't. I use PGP/MIME if I know the recipient's MUA supports it, inline otherwise.

This comes fairly close to my own practices, with one significant
exception: since it's almost impossible for me to know whether all the
MUAs used on a mailing list support PGP/MIME, I feel it's better for
mailing list traffic to be inline.

Of course, I really feel it's better for mailing list traffic to not be
signed at all, since usually all it gives us is a false sense of
security.  A signature from an unvalidated key belonging to an unknown
person whom we don't know from Adam doesn't mean much, if anything at all.

More information about the Gnupg-users mailing list