On Thu, Feb 28, 2013 at 12:55:39PM +0100, Stefan Wimmer wrote: > Hi all, > > I recently started to sign all my mails and it took me little time to find > out that you can't delete attachments in signed/encrypted mails ... ;-) > > Now I want to automate the way I use crypt_autosign that mutt checks first > if there is an attachment and only signs the mail if that's not the case. I > was thinking along the lines of
I have a couple of comments about this: - Why sign most messages? Unless the information is important for others to verify that it came from a particular person why add the bloat of a signature. Beyond this I find it ironic that people sign e-mail with a private key where its public key isn't found on a standard PGP/GPG keyserver like pgp.mit.edu or kerckhoffs.surfnet.nl. - If one is concerned enough about allowing others to verify the integrity of a message shouldn't this concern also extend to attachments which are a classic attack vector? -- Will Fiveash
