Am Mo 05.11.2012, 16:47:40 schrieb Johan Wevers:
> On 05-11-2012 16:29, Hauke Laging wrote:
> > I don't understand why PGP/MIME
> > does not define a seperate signature for the relevant sender created
> > headers (from, to, subject, date). That would protect the headers and
> > allow filters to check the sender without exposing the data signature.
>
> That would lead to many false warnings about signature errors, since
> those headers are often mangled with by mail transport software ("long"
> lines broken, (de)html-ized, control characters inserted (%20 instead of
> a space), etc. etc.Comparing the legacy headers and signed headers is not the only option. Much easier would be: If the legacy headers are mangled with anyway then just replace them by the signed ones (the last MTA or the MDA would do that) and perhaps mark them as corrected. The MUA could even do that itself. This approach would even easily allow to hide the real subject by just setting some dummy value. > I > predict that it will be nearly impossible to get this both so adaptive > that the number of false sig errors reduces to almost zero AND does not > contain lots of holes for spammers to exploit. The main problem is, of course, to get crypto more widely used. Otherwise things like this are just luxury problems. But if someday more people have started using crypto then such signature errors due to header mangling would soon become a problem for the respective ISPs. You do not need a technical solution for everything; sometimes the market does. :-) Given the amount of problems that can arise from spam and malware I am surprised that the Western governments seem not to do anything about securing this meanwhile critical infrastructure. Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
