[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful



on Tue, Aug 05, 2003 at 01:50:26AM +0100, Pigeon (jah.pigeon@ukonline.co.uk) wrote:
> On Mon, Aug 04, 2003 at 05:48:42PM -0400, ScruLoose wrote:
> > On Mon, Aug 04, 2003 at 01:18:18PM -0700, Alan Connor wrote:
> > > 2) They are a an extreme violation of netiquette
> > 
> > I don't know where you've been learning your netiquette. PGP-signed
> > messages have been widely regarded as acceptable (if not preferable)
> > for *at least* the past decade.
> 
> I'm on a yahoo mailing list that automatically strips PGP signatures
> from posts. I consider that a genuine breach of netiquette. 

It's a specific violation of RFC 2015.  Among the reasons for supporting
a MIME-encoded PGP signature and payload is so that mail transports (and
archives) will _treat the content as immutable_.  This should be
reported as a bug to Yahoo.

Then again, there are other problems I've got with Yahoo lists/groups
which basically wall them off from me.  Try reading a Yahoo group w/o
cookies sometime.


> > > 4) They make posts hard to read and ugly.
> > 
> > Only if you're reading them on a badly broken client (or User-Agent if
> > you prefer the term).
> 
> eg. Outlook Express...

More to the point:  the RFC 2015 standard (as opposed to the S-MIME
signature standard) calls for a message body which is otherwise
unimpeded, and a signature which itself is plain text, meaning that if a
mailer without RFC 2015 support does _the right thing_ and doesn't mess
with the message, both are available.  As cleartext.  And for subsequent
validation.  Microsoft naturally "embraces and extends" this standard in
a way that breaks utility.

> > A properly designed program *even if it doesn't know PGP* will just
> > display the message text, leaving the signature alone it its own
> > attachment.
> 
> And a decent client that does understand PGP will do the same if you
> tell it to, so you don't have to be encumbered with it if you don't
> want to be.

Alan's complaints here are very curious as his headers indicate he uses
mutt.  Which was designed as a reference RFC 2015 implementation by
Michael R. Elkins, specifically to provide PGP signature and encryption
support.

Similarly, Alan's mail configuration breaks threads for some reason.

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Support the EFF, they support you:  http://www.eff.org/

Attachment: pgpCA03cn9L5J.pgp
Description: PGP signature


Reply to: