[k9mail/k-9] Makes PGP sign-only mails very difficult (#2375)

vedaal at nym.hush.com vedaal at nym.hush.com
Tue Feb 5 23:38:07 CET 2019



On 2/5/2019 at 4:50 PM, "justina colmena via Gnupg-users"  wrote:>THE
DATE PROBLEM. Only the body of the email is signed, not the envelope
headers, namely the subject and intended >recipients, and probably
most importantly, the date. It would be nice to have an option to
automatically include some of >these headers in the body of the signed
message when composing a signed email message.

>THE STRIPPING PROBLEM. Currently, each attachment is signed
separately and independently by the PGP-MIME >standard. It would be
preferable to digitally sign SHA hashes of the main message and all
attachments in a single >additional attachment. This would leave an
indication of any attachments that may have been "stripped" from the
email >message, but without breaking the signatures of remaining
attachments in such cases.

=====

In this case, there is a simple workaround :
[1] Put the subject, the intended recipients, and the date, in the
introductory line(s) in the plaintext.

[2] enarmor all the attachments, [ using the GnuPG --enarmor command  
(-a command in PGP) ], and paste the enarmored text into the body of
the message, at the end of the message, right after a line saying;  
here are the following attachments :[3] Sign and encrypt the entire
message composed of parts [1] and [2] and send it off

this has the following 3 advantages:

(a) no one knows what kind of attachments are being sent, or how many.
(b) all the important data is in the Plaintext, where it belongs, and
not vulnerable to MIMT attacks
(c) backward compatibility in maintained, and no new standards have to
be designed
vedaal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190205/1a44a70f/attachment.html>


More information about the Gnupg-users mailing list