Pros and cons of PGP/MIME for outgoing e-mail?
Werner Koch
wk at gnupg.org
Mon Nov 24 13:28:01 CET 2014
Hi Bjarni,
On Sun, 23 Nov 2014 14:12, bre at pagekite.net said:
> https://www.mailpile.is/blog/2014-11-21_To_PGP_MIME_Or_Not.html
Not read (yet).
> The "tl;dr" is that it might be worth dropping PGP/MIME for outgoing
> encrypted mail and instead use a more ad-hoc approach which
Please don't do this. In particular the encrypted format is so easy to
create and parse that it is not worth to even think about it. Yes,
there are two MIME parts but you can ignore the first part and it is
even possible to decrypt such a simple mail without any MIME knowledge.
Creating is even easier, you can use a hard wired boundary.
Signing is a bit more complete but for years there is no problem with
such mails anymore - all MUAs are able to display the text and those
not capable of PGP/MIME ignore the signature.
I would suggest to ignore the micalg parameter - use pgp-sha1 if you
create one but do not compare it when reaading.
> interoperates with more mail clients. I'm also tentatively proposing an
> approach to reducing the header metadata leakage (Subject, From, To,
> etc. being sent in the clear).
Wrap in a message/rfc822 part.
> As folks on this list have been using GPG in the real world longer than
> most, I would very much appreciate your feedback, experience and
It has always been a heated discussion for close to 20 years. The
non-US people mostly preferring PGP/MIME and the US people clear text
signatures.
Even S/MIME has meanwhile completely moved away from opaque signatures.
Thus by supporting PGP/MIME you only need one framework and no alien
stuff like PGP cleartext signed messages without the ability to attach
something.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list