Is the signature encrypted

Hauke Laging mailinglisten at hauke-laging.de
Mon Nov 5 17:31:00 CET 2012


Am Mo 05.11.2012, 16:47:40 schrieb Johan Wevers:
> On 05-11-2012 16:29, Hauke Laging wrote:
> > I don't understand why PGP/MIME
> > does not define a seperate signature for the relevant sender created
> > headers (from, to, subject, date). That would protect the headers and
> > allow filters to check the sender without exposing the data signature.
> 
> That would lead to many false warnings about signature errors, since
> those headers are often mangled with by mail transport software ("long"
> lines broken, (de)html-ized, control characters inserted (%20 instead of
> a space), etc. etc.

Comparing the legacy headers and signed headers is not the only option. Much 
easier would be: If the legacy headers are mangled with anyway then just 
replace them by the signed ones (the last MTA or the MDA would do that) and 
perhaps mark them as corrected. The MUA could even do that itself.

This approach would even easily allow to hide the real subject by just setting 
some dummy value.


> I
> predict that it will be nearly impossible to get this both so adaptive
> that the number of false sig errors reduces to almost zero AND does not
> contain lots of holes for spammers to exploit.

The main problem is, of course, to get crypto more widely used. Otherwise 
things like this are just luxury problems. But if someday more people have 
started using crypto then such signature errors due to header mangling would 
soon become a problem for the respective ISPs. You do not need a technical 
solution for everything; sometimes the market does. :-)

Given the amount of problems that can arise from spam and malware I am 
surprised that the Western governments seem not to do anything about securing 
this meanwhile critical infrastructure.


Hauke
-- 
☺
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121105/0402f95f/attachment.pgp>


More information about the Gnupg-users mailing list