Re: why application/pgp; x-action=sign != application/pgp-signature ?

[Nuutti Kotivuori <nuutti.kotivuori@sonera.com>]

"Cyrille" == Cyrille Lefevre <clefevre@citeweb.net> writes:
> well, I go to iana to find the specs about pgp, which refer to rfc2015
> which only known about application/pgp-something. so, you are right and
> the product I'm using seems to be wrong. maybe it is (always) using an
> pre-standard. who knowns ?

Um. There's three ways to send PGP messages.

The first, the oldest, the broken one is to just use PGP to clearsign
something and tag it into the message body. The message Content-Type:
will be text/plain, if there even is a content-type. The message body
will contain the normal 'BEGIN PGP SIGNED TEXT' etc. parts.

Then there's PGP-Kaze - namings differ. Which is quite similar to the
one above, but instead of the text/plain content type, we say
application/pgp (with attributes telling if it's signed or encrypted
or what). This is also called the traditional PGP mail. This does not
work with attachments - you need to encrypt/sign every attachment
separately, and you have no way of keeping them all together -
eg. some attachment might be removed and no signature would be
invalid. It has other problems as well.

And then we have RFC2015, PGP/MIME standard. This is the only working
one. It works by using MIME for everything, enclosing the whole signed
or encrypted part in multipart/signed or multipart/encrypted
content-type, and having the separate signature be
application/pgp-signature.

PGP/MIME is the working method, but very few programs are supporting
it. Gnus does not support it either, tho some people (possibly
including me) are developing it currently. So Gnus just _ignores_ the
application/pgp-signature type and _does not_ verify the
signature. Mutt is the de facto standard mailer for sending PGP/MIME
messages.

The other two methods are used interchangeably often, and are
supported by the latest version of PGP plugins for windows. They are
not really suited for anything but text messages, but people use them
anyway since they have nothing better. Mailcrypt is the way to use
these messages with Gnus. It comes with emacsen I think.

So, your program sends the older, obsolete, standard type PGP messages
which are handled by Mailcrypt, but which are the most commonly used
messagetypes currently. The newer standard is displayed properly by
Gnus, since the PGP/MIME standard allows correct text display even if
the mailer does not support PGP/MIME, but it _cannot_ be used for
writing such mails or to verify the signatures, which doesn't matter
ofcourse if you are not interested.

-- Naked