MIME or inline signature ?

Doug Barton dougb at dougbarton.email
Sat Feb 14 22:36:08 CET 2015 

FWIW, I hate this debate, and try hard to stay out of it. But it really 
bothers me when people spread factually incorrect information, 
especially when they try to use that as the basis of their arguments 
for/against one method or the other.

On 2/14/15 7:49 AM, Hugo Osvaldo Barrera wrote:

> Pros of GPG/Mime:
> * It's a lot less ugly for users with no gpg support. The large signature block
>    at the end and the gpg marks are hard to ignore.

Why are you signing mail that is being sent to people without PGP 
support in the first place?

> * AFAIK, inline gpg has issues with non-ascii characters. 😞 Correct me if I'm
>    wrong.

This hasn't been true for almost a decade, assuming that the person 
using the non-ASCII characters has correctly set up their environment. 
And FWIW, it's also not true that PGP/MIME will be 100% successful when 
one of the communicants has not correctly set up their environment.

> * Inline-gpg includes a signature for each attachment. This allows third
>    parties to count how many files are attached (and their filenames, I
>    believe). gpg/mime include one huge blob, so third parties can't tell this
>    sort of metadata.

Nothing you wrote in this section is 100% correct. You *can* send one 
signature per attachment, but you don't have to. You can also bundle the 
attachment and signature in an archive, or you can bundle a lot of 
attachments in the same archive, and sign that, or you can bundle all of 
the attachments and signatures in one archive .... etc.

It's also not true that PGP/MIME protects you from metadata analysis. 
The messages are not "one big blob," they are actually separated into 
parts, including the attachments. It's trivial to see how many 
attachments are in a message just by analyzing the MIME headers, whether 
the message/attachments are encrypted or not.

> In the end, I'd suggest you go with what you prefer on a whim, more than
> techinical reasons.

... or, you could use what your correspondents are able to handle, since 
theoretically that's the point of communication in the first place? :)

hope this helps,

Doug

More information about the Gnupg-users mailing list