Pros and cons of PGP/MIME for outgoing e-mail?

Werner Koch wk at gnupg.org
Mon Nov 24 13:28:01 CET 2014


Hi Bjarni,

On Sun, 23 Nov 2014 14:12, bre at pagekite.net said:

> https://www.mailpile.is/blog/2014-11-21_To_PGP_MIME_Or_Not.html

Not read (yet).

> The "tl;dr" is that it might be worth dropping PGP/MIME for outgoing
> encrypted mail and instead use a more ad-hoc approach which

Please don't do this.  In particular the encrypted format is so easy to
create and parse that it is not worth to even think about it.  Yes,
there are two MIME parts but you can ignore the first part and it is
even possible to decrypt such a simple mail without any MIME knowledge.
Creating is even easier, you can use a hard wired boundary.

Signing is a bit more complete but for years there is no problem with
such mails anymore - all MUAs are able to display the text and those
not capable of PGP/MIME ignore the signature. 

I would suggest to ignore the micalg parameter - use pgp-sha1 if you
create one but do not compare it when reaading.

> interoperates with more mail clients. I'm also tentatively proposing an
> approach to reducing the header metadata leakage (Subject, From, To,
> etc. being sent in the clear).

Wrap in a message/rfc822 part.

> As folks on this list have been using GPG in the real world longer than
> most, I would very much appreciate your feedback, experience and

It has always been a heated discussion for close to 20 years.  The
non-US people mostly preferring PGP/MIME and the US people clear text
signatures.

Even S/MIME has meanwhile completely moved away from opaque signatures.
Thus by supporting PGP/MIME you only need one framework and no alien
stuff like PGP cleartext signed messages without the ability to attach
something.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list