D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] GnuPG with Mutt

 

Note changed subject line - GNU/Linux systems don't use PGP, they use GnuPG which follows the OpenPGP standards (that PGP on Windows does not always manage).
On 06/10/06 16:59:30, Simon Waters wrote:
Benjamin A'Lee wrote:
>
> No, that's right; Enigmail creates inline signatures by default,
> which
> are strongly deprecated. This probably should be considered a bug
> in Enigmail...

Come on, be fair, it is a bug in Outlook family email clients that
led
to that one.
?? MIME-type signatures are inherently more reliable - inline is VERY  
easily broken, even by "normal" mail handling routines (like mailing  
lists), especially when used by or sent to non Latin1 character sets.  
GnuPG deprecated inline signatures independently of any effects on MS  
email clients and did so for solid cryptographic, not philosophical,  
reasons.
Enigmail is way behind the times. GnuPG is likely to drop support for  
inline signatures in a future release. Let's hope enigmail make the  
transition before they are forced to.
Take an example. The DCGLUG archive retains inline signatures where  
they are used and attaches PGP/MIME type signatures as separate files.  
The intention with inline is that such signatures should be verifiable  
AFTER processing by mhonarc and other agents, such as in our own  
archive. The sad fact is that many are broken.
Not only that, but when I used to send lots of inline signatures to the  
various lists, including the gnupg-users list, MANY members noted that  
messages which appeared valid to some appeared as invalid signatures to  
others! In situations where I may have been subscribed twice (for  
whatever reason), it was common to find one message failed verification  
whilst precisely the same message to the other address passed  
verification. Same server, same account, same list manager software -  
and it wasn't that one account had more failures than the other, there  
was no telling which account would show a failed signature but  
sometimes as many as 25% of my own messages failed verification on at  
least one of the receiving accounts. Such rates are simply  
unacceptable. Inline signatures are rightly deprecated.
True, PGP/MIME signatures cannot be used to verify emails that have  
been archived by scripts like mhonarc but the false negative rate with  
inline signatures in archives (which are supposed to be OK) is SO high  
that it becomes pointless. Once that slim advantage is eliminated - and  
problems with OE discounted on the basis that it isn't the fault of  
gnupg - there can be, IMHO, no basis for promoting, encouraging or even  
supporting inline signatures.
Just Enigmail is sensible enough to have a default, that stops people
polluting this list with "how do I set Enigmail plugin to use inline
signatures, because everyone using Outlook sees my email as an
attachment" ;)
Hasn't stopped me sending PGP/MIME for the last _mumble_ years.
:-)

In all that time, I have not come across a SINGLE instance of PGP/MIME giving differing results for the one message. If a PGP/MIME message is invalid, it is invalid in all supporting email clients, for all users, on all platforms and all locales. That is essential for any meaningful cryptography.
It's high time Enigmail changed their default to match the  
*cryptographic* reality.
--

Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/

Attachment: pgpxquuWYOsZY.pgp
Description: PGP signature

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html