D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] GnuPG with Mutt

 

Note changed subject line - GNU/Linux systems don't use PGP, they use GnuPG which follows the OpenPGP standards (that PGP on Windows does not always manage).

On 06/10/06 16:59:30, Simon Waters wrote:
Benjamin A'Lee wrote:
>
> No, that's right; Enigmail creates inline signatures by default,
> which
> are strongly deprecated. This probably should be considered a bug
> in Enigmail...

Come on, be fair, it is a bug in Outlook family email clients that
led
to that one.

?? MIME-type signatures are inherently more reliable - inline is VERY easily broken, even by "normal" mail handling routines (like mailing lists), especially when used by or sent to non Latin1 character sets. GnuPG deprecated inline signatures independently of any effects on MS email clients and did so for solid cryptographic, not philosophical, reasons.

Enigmail is way behind the times. GnuPG is likely to drop support for inline signatures in a future release. Let's hope enigmail make the transition before they are forced to.

Take an example. The DCGLUG archive retains inline signatures where they are used and attaches PGP/MIME type signatures as separate files. The intention with inline is that such signatures should be verifiable AFTER processing by mhonarc and other agents, such as in our own archive. The sad fact is that many are broken.

Not only that, but when I used to send lots of inline signatures to the various lists, including the gnupg-users list, MANY members noted that messages which appeared valid to some appeared as invalid signatures to others! In situations where I may have been subscribed twice (for whatever reason), it was common to find one message failed verification whilst precisely the same message to the other address passed verification. Same server, same account, same list manager software - and it wasn't that one account had more failures than the other, there was no telling which account would show a failed signature but sometimes as many as 25% of my own messages failed verification on at least one of the receiving accounts. Such rates are simply unacceptable. Inline signatures are rightly deprecated.

True, PGP/MIME signatures cannot be used to verify emails that have been archived by scripts like mhonarc but the false negative rate with inline signatures in archives (which are supposed to be OK) is SO high that it becomes pointless. Once that slim advantage is eliminated - and problems with OE discounted on the basis that it isn't the fault of gnupg - there can be, IMHO, no basis for promoting, encouraging or even supporting inline signatures.

Just Enigmail is sensible enough to have a default, that stops people
polluting this list with "how do I set Enigmail plugin to use inline
signatures, because everyone using Outlook sees my email as an
attachment" ;)

Hasn't stopped me sending PGP/MIME for the last _mumble_ years.
:-)

In all that time, I have not come across a SINGLE instance of PGP/MIME giving differing results for the one message. If a PGP/MIME message is invalid, it is invalid in all supporting email clients, for all users, on all platforms and all locales. That is essential for any meaningful cryptography.

It's high time Enigmail changed their default to match the *cryptographic* reality.

--

Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/

Attachment: pgpxquuWYOsZY.pgp
Description: PGP signature

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html