On Sat 2015-02-14 16:36:08 -0500, Doug Barton wrote: > FWIW, I hate this debate, and try hard to stay out of it. But it really > bothers me when people spread factually incorrect information, > especially when they try to use that as the basis of their arguments > for/against one method or the other.
I feel the same way. >> * AFAIK, inline gpg has issues with non-ascii characters. 😞 Correct me if I'm >> wrong. > > This hasn't been true for almost a decade, assuming that the person > using the non-ASCII characters has correctly set up their environment. > And FWIW, it's also not true that PGP/MIME will be 100% successful when > one of the communicants has not correctly set up their environment. if we're talking about signed messages with the possibility of an adversary who can modify the messages, then the the fact is that inline PGP messages have no way of securely indicating the character encoding in use. This means that an attacker can actually modify how the cleartext message is interpreted by fiddling with data *outside* the message body. If we're talking about encrypted messages, the same problem holds. I demonstrate this in the "Message tampering through header substitution" section here: https://dkg.fifthhorseman.net/notes/inline-pgp-harmful/ the lesson here is: if you care about getting the intended textual message through to your peer, you need to embed some information about the formatting *within* the signature. PGP/MIME provides a clear, well-defined way to provide that information. > It's also not true that PGP/MIME protects you from metadata analysis. > The messages are not "one big blob," they are actually separated into > parts, including the attachments. It's trivial to see how many > attachments are in a message just by analyzing the MIME headers, whether > the message/attachments are encrypted or not. If we're talking about PGP/MIME encrypted messages, this is not correct. When having this debate, some people are talking about encrypted messages; others are talking about signed messages. there are lots of ways to talk past one another with this stuff, so please be clear about whether you're talking about encrypted or signed messages. Regards, --dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
