[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bad signatures, pgp and MIME


recent messages sent to debian-security-announce have shown that
there is some discrepancy in understanding how PGP/MIME works and
how people would think that it works.

The basic problem is that you can't split a pgp/mime signed message
into parts and then verify it.  If you use Mutt for pgp-signing,
then splitting the message with mutt or munpack you cannot verify
the parts.

One reason given for this was that the Content-type header needs
to be part of the splitted message.

People were asking for the relevant document describing this
MIME/PGP standard.

At least Mutt and premail are understanding this type of signature.

Regarding security advisories, we will skip this kind of signing,
although this has a different reason.  Signing the file before
sending it will enable you to fetch the advisory form the web
and verify the signature.



Beware of bugs in the above code; I have only proved it correct,
not tried it.  -- Donald E. Knuth

Please always Cc to me when replying to me on the lists.

Reply to: