Signing (and Encrypting) Mails with gpg like DKIM
Jakob Bohm
jb-gnumlists at wisemo.com
Wed Sep 4 14:41:38 CEST 2024
On 2024-09-02 09:00, Werner Koch via Gnupg-users wrote:
> On Sat, 31 Aug 2024 18:29, T. S. said:
>
>> either because of the -----BEGIN PGP SIGNED MESSAGE----- strings, or because
>> the unknown attachments in MIME message.
> Don't use those legacy inline PGP encryption. Use PGP/MIME, a 28 year
> old standard (RFC-2015). You should give that unnamed attachment a
> name, for example
>
> Content-Type: application/pgp-signature;
> name="openpgp-digital-signature.asc"
>
> which clearly shows what kind of attachment this is.
>
>> When now looking to DKIM, this looks much more advanced. There is a Header in
>> the mail, containing the signature all details to the signature and
> <the_usual_rant> You may want to go back to the year ~2000 when DKIM was
> first presented at the IETF in Paris. It was then a quick hack from the
> sendmail authors and it took only a few hours until an attack on this
> was found. DKIM also broke with the long standing rule of being able to
> work in a pipeline (iirc, this is called an online algo these days).
> Instead of doing all that DKIM stuff it would have been easier to
> directly use S/MIME or PGP/MIME and include copies of important headers
> in a signed attachment. But well, attachments are ugly for some people.
> </>
Using S/MIME for server to server protection would involve heavy mangling
of mail bodies, unlike the header-only placement of DKIM signatures. It
is true that DKIM generation and validation needs the entire mail in some
kind of storage, such as the mail spool of a resend-capable MTA, which is
a key reliability requirement for non-spam mail servers anyway.
As a mail admin I see a lot of buggy 3rd party mail servers built by rather
large companies, but the traditional line mangling so common before MIME
seems a thing of the past, while Base64 encoding mail bodies has become
the realm of buggy software and/or spam (I happen to use such a buggy big
name SMTP library for mailing webshop receipts etc.)
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the Gnupg-users
mailing list