[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: KMail and pgp signing: walking in small circles
From:       Lars Knoll <Lars.Knoll () mpi-hd ! mpg ! de>
Date:       1999-07-30 13:23:04
[Download RAW message or body]

On Fri, 30 Jul 1999, Sven Radej wrote:

> As I said it is fixed and works fine. But.
> 
> Method 1)
> The current "fixed" way works fine and robust except when somone has
> non-us-ascii characters in the message: a single umlaut would cause pgp to
> detect that message is "binary", and pgp will encode it making it unreadable
> without PGP - that is no clear text signing.

That was exaclty why I made the detached signature once... 

> My next idea was to force non-us-ascii people (pih, neglectable minority: only
> all german speaking, scandinavian  and central european people, let alone other
> more exotic) to use Quoted-Printable. In this case KMail would encode messge to
> quoted-printable before signing. Doesn't work - MTAs (recent sendmails) will
> turn it into 8bit and therefore corrupt it. Is there a way to notfy MTA by some
> header not to do this? And besides is that the right way to do this? Isn't
> quoted-printable passe? Do other mailers check PGP and then decode from
> quoted-printable (KMail doesn't but this could ne aranged)? I am sceptic about
> this.

I don't think this will work. Even if there is an option to notify a MTA,
there will for sure be one on the Internet, which will ignore it.

> Method 2)
> The old way (making detached signature and glue it together) fails if there is
> trailing spaces in some line. In pgp5.01 option "clearsig" (in that case
> pgp should ignore trailing whitespace in computing the signature) simply doesn't
> work.
> 
> My last idea now is to strip all trailing white space from message before
> signing it. 

That's probably the way to go. It's a completely stupid behaviour of
pgp...

> And by the way: did you know that if you sign/encrypt your message, attachments
> are not signed/encrypted? I didn't! Should they or not?

I think they should. You could attach a document you composed, containig
sensitive information. And it's not clear to users, that the attached
parts are not protected. If you sign only, one could try to keep the
clearsigning for attachments of kind TEXT/XXXX. The method to do that,
would probably be to sign/encrypt each attachment seperatly.

> My problem is: there is no mail application I could compare KMail to (I am
> going to check Empath sources now). All others Pine, Mutt XFmail either do the
> method 1 or use some obscure filters (whic do not work in Pine 4.1). I did
> browse the Web, Usenet, even mailed to one PGP guy (but, before reading the
> license: no support for freeware) I didn't find anything usefull.

Hmmm, as far as I remember, there existed some sort of RFC about this.
Have a look at 
http://velociraptor.mni.fh-giessen.de/cgi-bin/webglimpse/home/httpd/html/rfc?localcopy=n&query=pgp&errors=0&age=&maxfiles=50&maxlines=30


Cheers,
Lars


[prev in list] [next in list] [prev in thread] [next in thread]