[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gpg/pgp noise

On Tue, May 08, 2012 at 04:15:28PM -0400, Celejar wrote:
> I'm no expert in all this, but can you explain and document what you
> mean by the claim that "headers ... must be verified"? All emails have
> their headers modified en route (e.g., "Received:" and "Delivered-To"
> are added, as are all kinds of "X-stuff" ones). Does PGP/MIME really
> protect all headers (beyond the MIME ones)? It really breaks if *any*
> headers are modified? Please provide documentation.

Writing off the top of my head, you may wish to verify everything I say ☺
PGP/MIME does not verify the headers, but your mail is a multipart/mime mail,
and it does verify the specific MIME headers that define the encoding for the
signed part.  If the message is decoded, or re-encoded, then these headers can
change (either semantically, if the re-encoding is via a different scheme, or
simply syntactically, afaik whitespace changes etc.)  There's a related problem
where you can't get at the original mail (so: web archives of mailing lists
only give you the decoded bits; I think RT is similar, which is why when
someone needs to submit a ticket to the Debian RT queue, they are told to use
inline PGP: http://keyring.debian.org/)
Reply to: