Signature/encryption, what's the standard ?

Signature/encryption, what's the standard ?

[Oscar Figueiredo]

[-- Attachment #1: Type: text/plain, Size: 576 bytes --]


I would like to know what's the preferred way of signing messages nowadays: PGP 
or S/MIME (i.e. RFC 2015 or 2646) ?

I'm asking because I just had an argument with a M*crosoft Outlook user who
claimed the body of my messages appear as attachments instead of inline and I
should therefore use S/MIME instead of PGP signatures because it was the
preferred way to sign a message.

Not that I agree with him since both signature types are standards track RFCs,
but does pGnus have some support for PGP or S/MIME of any kind (I haven't been
using pGnus for a long time) ?

Oscar

[-- Attachment #2: Type: application/pgp-signature, Size: 261 bytes --]

Re: Signature/encryption, what's the standard ?

[Alan Shutko]

Oscar Figueiredo <Oscar.Figueiredo@di.epfl.ch> writes:

> should therefore use S/MIME instead of PGP signatures because it was the
> preferred way to sign a message.

Correction: "His mailreader's preferred way to read signed messages."

-- 
Alan Shutko <ats@acm.org> - In a variety of flavors!
Hedonist for hire... no job too easy!

Re: Signature/encryption, what's the standard ?

[Hrvoje Niksic]

Oscar Figueiredo <Oscar.Figueiredo@di.epfl.ch> writes:

> I would like to know what's the preferred way of signing messages
> nowadays: PGP or S/MIME (i.e. RFC 2015 or 2646) ?

FWIW, your messages are neither rfc2015 nor S/MIME.  (And I don't see
what either has to do with rfc2646.)

Re: Signature/encryption, what's the standard ?

[Oscar Figueiredo]

[-- Attachment #1: Type: text/plain, Size: 365 bytes --]

>>>>> "Hrvoje" == Hrvoje Niksic <hniksic@srce.hr> writes:

  Hrvoje> FWIW, your messages are neither rfc2015 nor S/MIME.  (And I don't see
  Hrvoje> what either has to do with rfc2646.)

Sorry, I meant RFC2633 (S/MIME) not 2646 (text/plain).

Why are my messages not RFC2015 compliant ?  Last time I checked they looked
so.  Which requirement is missing ?

Oscar



[-- Attachment #2: Type: application/pgp-signature, Size: 261 bytes --]

Re: Signature/encryption, what's the standard ?

[John Saylor]

Hi

>>>>> "Oscar" == Oscar Figueiredo <Oscar.Figueiredo@di.epfl.ch> writes:

 Oscar> I would like to know what's the preferred way of signing
 Oscar> messages nowadays: PGP or S/MIME

Of course, the preferred way is not to sign, as most email is sent
that way. I know the email clients attached to the big 2 browsers have
SMIME support [Outlook/Outlook Express & Netscape Messenger]. And at
one time many moons ago, I played with a PGP plug-in for Eudora.

PGP support is present with Mailcrypt, but I don't think there is an
SMIME component for any emacs based mail readers [at least none have
come my way]. Way down on my list of projects would be to write a lisp
shell that would use OpenSSL to do the crypto stuff to make an SMIME
mail reader for emacs. But it's just sitting there in my queue along
with the "next great american novel".

Does anyone know anything else about this?

-- 
\js

I want you to MEMORIZE the collected poems of EDNA ST VINCENT MILLAY..
 BACKWARDS!!

Re: Signature/encryption, what's the standard ?

[Jason R Mastaler]

John Saylor <jsaylor@mediaone.net> writes:

> I want you to MEMORIZE the collected poems of EDNA ST VINCENT MILLAY..
>  BACKWARDS!!

Hmm.  Perhaps this is why she ended up in an asylum.

Re: Signature/encryption, what's the standard ?

[Stainless Steel Rat]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* Oscar Figueiredo <Oscar.Figueiredo@di.epfl.ch>  on Wed, 27 Oct 1999
| I would like to know what's the preferred way of signing messages
| nowadays: PGP or S/MIME (i.e. RFC 2015 or 2646) ?

Privacy Enhanced Mail (PEM).  PGP and GPG follow PEM closely, though they
use different text in the block delimiters.

Benefits of the PEM format:

  * It will work with *ALL* MUAs.
  * It will work with messages saved as files.
  * MUAs aware of PEM, like Gnus, will (or can) automatically hide PEM
    delimiters and encryption/signature blocks.
  * Mailcrypt plays nicely with Gnus.

"Benefits" of using the MIME formats:

  * Only work with MUAs that grok MIME.  /bin/mail won't cut it.
  * Messages are potentially vulnerable to "whitespace corruption" by MTAs
    that either add or remove whitespace, causing an otherwise valid
    message not to pass a signature check.
  * Signatures of MIME messages saved as files cannot be checked as neither 
    PGP nor GPG grok MIME.
  * In general, attachments suck.

| I'm asking because I just had an argument with a M*crosoft Outlook user
| who claimed the body of my messages appear as attachments instead of
| inline and I should therefore use S/MIME instead of PGP signatures
| because it was the preferred way to sign a message.

If his MUA cannot inline text parts, his MUA is broken.  Outlook broken?
No news there.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0e (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4F66fgl+vIlSVSNkRAptaAJ9qsKjHoHkzmjKOEw+HQuiXxhM7CACfaW77
TXcE73fVryuejlrXyMucnfs=
=g4li
-----END PGP SIGNATURE-----

-- 
Rat <ratinox@peorth.gweep.net>    \ Caution: Happy Fun Ball may suddenly
Minion of Nathan - Nathan says Hi! \ accelerate to dangerous speeds.
PGP Key: at a key server near you!  \ 

Re: Signature/encryption, what's the standard ?

[John Saylor]

Hi

>>>>> "Rat" == Stainless Steel Rat <ratinox@peorth.gweep.net> writes:

 Rat> "Benefits" of using the MIME formats:


 Rat> * Messages are potentially vulnerable to "whitespace corruption"
 Rat> by MTAs that either add or remove whitespace, causing an
 Rat> otherwise valid message not to pass a signature check.

I have never heard of this [but I don't stay up to date on MTA
technology]. Does this kind of thing happen often? Which MTAs are
known to exhibit this behavior?

 Rat> * In general, attachments suck.

Well, maybe, but they can be useful. If idiots use email for file
transfer, I'd rather have an attachment than an inline document.

-- 
\js

It's today's SPECIAL!

Re: Signature/encryption, what's the standard ?

[Stainless Steel Rat]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* John Saylor <jsaylor@mediaone.net>  on Wed, 27 Oct 1999
| I have never heard of this [but I don't stay up to date on MTA
| technology].

The early version of X-Pgp was quite prone to this.  I personally
experienced a 100% failure rate with usenet control messages when it was
first adopted (and then I stopped being a news server admin so I have not
kept up with it).

| Does this kind of thing happen often? Which MTAs are known to exhibit
| this behavior?

Delivery agents that deliver to Unix mbox-style mailbox files might append
a blank line to ensure proper envelope separation.  Some POP servers will
do this, too; others will strip *all* trailing whitespace from a message,
all in violation of every mail handling specification as well as POP's
proscription against doing anything but moving messages from point A to
point B.

The purpose of a digital signature is to be 100% positive that such and
such person originated the message.  If there is any possibility at all of
a false negative, the system itself is rendered unreliable.  The frequency
of false negatives is a measure of the unreliablity of that system.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0e (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4F8Yvgl+vIlSVSNkRAo1cAKCyGmIWsBUWvHNQtM6QcnhnYizzagCfb5wa
UgsA5pwsdQP51vat0C3noW4=
=x0qR
-----END PGP SIGNATURE-----

-- 
Rat <ratinox@peorth.gweep.net>    \ Happy Fun Ball may stick to certain types
Minion of Nathan - Nathan says Hi! \ of skin.
PGP Key: at a key server near you!  \ 

Re: Signature/encryption, what's the standard ?

[Jaap-Henk Hoepman]

On 27 Oct 1999 21:02:22 -0400 John Saylor <jsaylor@mediaone.net> writes:
> Hi
> 
> >>>>> "Oscar" == Oscar Figueiredo <Oscar.Figueiredo@di.epfl.ch> writes:
> 
>  Oscar> I would like to know what's the preferred way of signing
>  Oscar> messages nowadays: PGP or S/MIME
> 
> Of course, the preferred way is not to sign, as most email is sent
> that way. I know the email clients attached to the big 2 browsers have
> SMIME support [Outlook/Outlook Express & Netscape Messenger]. And at
> one time many moons ago, I played with a PGP plug-in for Eudora.
> 
> [..]
> 
> Does anyone know anything else about this?
> 

Yes, PGP 5 came with a fine plugin for Outlook as well.

Jaap-Henk

-- 
Jaap-Henk Hoepman             | Come sail your ships around me
Dept. of Computer Science     | And burn these bridges down
University of Twente          |       Nick Cave - "Ship Song"
Email: hoepman@cs.utwente.nl === WWW: www.cs.utwente.nl/~hoepman
Phone: +31 53 4893795 === Secr: +31 53 4893770 === Fax: +31 53 4894590
PGP ID: 0xF52E26DD  Fingerprint: 1AED DDEB C7F1 DBB3  0556 4732 4217 ABEF

Re: Signature/encryption, what's the standard ?

[Hrvoje Niksic]

Oscar Figueiredo <Oscar.Figueiredo@di.epfl.ch> writes:

> Why are my messages not RFC2015 compliant ?

My apologies; after closer inspection, your messages do seem to be
rfc2015 compliant.  It's just Gnus that doesn't handle
multipart/signed properly.

But then again, wouldn't it be nice if I could at least tell Gnus
that, when faced with a multipart/signed thingy, it ignores the second
part?

mm-* hackers?  Anyone?

Re: Signature/encryption, what's the standard ?

[Graham Murray]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hrvoje Niksic <hniksic@srce.hr> writes:


> My apologies; after closer inspection, your messages do seem to be
> rfc2015 compliant.  It's just Gnus that doesn't handle
> multipart/signed properly.

Is it gnus, or Mailcrypt which does not handle it properly?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0e (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard <http://www.gnupg.org/>

iD8DBQE4GCodEhN/ETQwnEERArdJAKCRNG1yrn8qC0t3jUKl5jkQNTnWbACfd2oR
L19hQ6SQuDCJjfLceKwMqg0=
=LTGu
-----END PGP SIGNATURE-----

Re: Signature/encryption, what's the standard ?

[Hrvoje Niksic]

Graham Murray <graham@barnowl.demon.co.uk> writes:

> Hrvoje Niksic <hniksic@srce.hr> writes:
> 
> > My apologies; after closer inspection, your messages do seem to be
> > rfc2015 compliant.  It's just Gnus that doesn't handle
> > multipart/signed properly.
> 
> Is it gnus, or Mailcrypt which does not handle it properly?

Gnus shows "application/octet-stream" attachments in Oscar's mails.  I
shouldn't see those.

I don't use mailcrypt.

Re: Signature/encryption, what's the standard ?

[David Kågedal]

Hrvoje Niksic <hniksic@srce.hr> writes:

> Graham Murray <graham@barnowl.demon.co.uk> writes:
> 
> > Hrvoje Niksic <hniksic@srce.hr> writes:
> > 
> > > My apologies; after closer inspection, your messages do seem to be
> > > rfc2015 compliant.  It's just Gnus that doesn't handle
> > > multipart/signed properly.
> > 
> > Is it gnus, or Mailcrypt which does not handle it properly?
> 
> Gnus shows "application/octet-stream" attachments in Oscar's mails.  I
> shouldn't see those.

No, you should see them as application/pgp-signature.  That's how it's
declared in the mail.  But I guess you didn't want to see that
either...

-- 
David Kågedal

Re: Signature/encryption, what's the standard ?

[Hrvoje Niksic]

davidk@lysator.liu.se (David Kågedal) writes:

> > Gnus shows "application/octet-stream" attachments in Oscar's mails.  I
> > shouldn't see those.
> 
> No, you should see them as application/pgp-signature.

Sorry, that's what I meant to write.

Re: Signature/encryption, what's the standard ?

[Steinar Bang]

>>>>> Oscar Figueiredo <Oscar.Figueiredo@di.epfl.ch>:

>>>>> "Hrvoje" == Hrvoje Niksic <hniksic@srce.hr> writes:
Hrvoje> FWIW, your messages are neither rfc2015 nor S/MIME.  (And I don't see
Hrvoje> what either has to do with rfc2646.)

> Sorry, I meant RFC2633 (S/MIME) not 2646 (text/plain).

For easy reference:
        http://www.ietf.org/rfc/rfc2015.txt
        http://www.ietf.org/rfc/rfc2633.txt
        http://www.ietf.org/rfc/rfc2646.txt

Re: Signature/encryption, what's the standard ?

[Simon Josefsson]

Steinar Bang <sb@metis.no> writes:

> Hrvoje> FWIW, your messages are neither rfc2015 nor S/MIME.  (And I don't see
> Hrvoje> what either has to do with rfc2646.)
> 
> > Sorry, I meant RFC2633 (S/MIME) not 2646 (text/plain).
> 
> For easy reference:
>         http://www.ietf.org/rfc/rfc2015.txt
>         http://www.ietf.org/rfc/rfc2633.txt
>         http://www.ietf.org/rfc/rfc2646.txt

RFC-junkies like me might like this, it makes Gnus highlight
RFC-looking references and retrieve the document for me.

(defvar gnus-rfc-directory (list (concat (getenv "HOME") "/rfc/")
				 "/afs/stacken.kth.se/ftp/pub/rfc/"
				 "/ftp@ftp.stacken.kth.se:/pub/rfc/"))

(defun gnus-button-embedded-rfc (file)
  (if (string-match "\\([0-9]+\\)" file)
      (let ((dir gnus-rfc-directory)
	    (file (concat "rfc" (match-string 1 file) ".txt")))
	(while (and dir (not (file-readable-p (concat (car dir) file))))
	  (pop dir))
	(find-file (concat (car dir) file)))))

(push '("\\bRFC\\(-\\| \\)?[0-9]+\\(.txt\\|.doc\\)?" 0 t gnus-button-embedded-rfc 0) gnus-button-alist)

Re: Signature/encryption, what's the standard ?

[Eric Marsden]

or (require 'ffap), which can follow RFC names in any buffer (though
it does not buttonize them).

-- 
Eric Marsden
It's elephants all the way down

Re: Signature/encryption, what's the standard ?

[Florian Weimer]

Oscar Figueiredo <Oscar.Figueiredo@di.epfl.ch> writes:

> I would like to know what's the preferred way of signing messages
> nowadays: PGP or S/MIME (i.e. RFC 2015 or 2646) ?

AFAIK, S/MIME uses a X.509 certification hierarchy.  Quite a few people
consider PGP's `web of trust' much more practical than a strict tree-like
hierarchy with a few root certification authorities.

Re: Signature/encryption, what's the standard ?

[David S. Goldberg]

> AFAIK, S/MIME uses a X.509 certification hierarchy.  Quite a few
> people consider PGP's `web of trust' much more practical than a
> strict tree-like hierarchy with a few root certification
> authorities.

There's nothing in any S/MIME implementation I've seen that prevents
anyone from exchanging their own, locally generated, certs without
benefit of verisign or any other authority. I'm one of those who
considers the web of trust model not only more practical, but also
more secure than the hierarchy for certain applications, personal
communication being one of them (I trust my friends to tell me someone
is legit before I trust verisign to do so) but once I have that trust,
there's no reason I can't use S/MIME to handle the encryption part.
-- 
Dave Goldberg
Post: The Mitre Corporation\MS B325\202 Burlington Rd.\Bedford, MA 01730
Phone: 781-271-3887
Email: dsg@mitre.org

Re: Signature/encryption, what's the standard ?

[Lars Magne Ingebrigtsen]

Hrvoje Niksic <hniksic@srce.hr> writes:

> But then again, wouldn't it be nice if I could at least tell Gnus
> that, when faced with a multipart/signed thingy, it ignores the second
> part?
> 
> mm-* hackers?  Anyone?

I've now made application/pgp-signature be displayed inline with
`ignore' as the viewer.  Which makes them disappear altogether, of
course. 

-- 
(domestic pets only, the antidote for overdose, milk.)
   larsi@gnus.org * Lars Magne Ingebrigtsen