From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63820 Path: news.gmane.org!not-for-mail From: Reiner Steib Newsgroups: gmane.emacs.gnus.general Subject: Re: Broken display of clearsigned PGP message Date: Fri, 13 Oct 2006 17:31:15 +0200 Organization: Dept. of Theoretical Physics, University of Ulm Message-ID: References: <87u02sr1yx.fsf@gate450.dyndns.org> <87zmc0thhh.fsf@gate450.dyndns.org> Reply-To: Reiner Steib NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1160754483 16995 80.91.229.2 (13 Oct 2006 15:48:03 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Fri, 13 Oct 2006 15:48:03 +0000 (UTC) Original-X-From: ding-owner+m12347@lists.math.uh.edu Fri Oct 13 17:47:59 2006 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GYPFr-0005bj-Nw for ding-account@gmane.org; Fri, 13 Oct 2006 17:47:24 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu ident=lists) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1GYPFa-0003NF-00; Fri, 13 Oct 2006 10:47:06 -0500 Original-Received: from nas02.math.uh.edu ([129.7.128.40]) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1GYPCa-0003NA-00 for ding@lists.math.uh.edu; Fri, 13 Oct 2006 10:44:00 -0500 Original-Received: from quimby.gnus.org ([80.91.231.51]) by nas02.math.uh.edu with esmtp (Exim 4.52) id 1GYPCX-0006GU-T6 for ding@lists.math.uh.edu; Fri, 13 Oct 2006 10:44:00 -0500 Original-Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1GYPCO-0006sF-00 for ; Fri, 13 Oct 2006 17:43:48 +0200 Original-Received: from list by ciao.gmane.org with local (Exim 4.43) id 1GYPC2-0004Zv-GX for ding@gnus.org; Fri, 13 Oct 2006 17:43:26 +0200 Original-Received: from bridgekeeper.physik.uni-ulm.de ([134.60.10.123]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 13 Oct 2006 17:43:26 +0200 Original-Received: from Reiner.Steib by bridgekeeper.physik.uni-ulm.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 13 Oct 2006 17:43:26 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: ding@gnus.org Original-To: ding@gnus.org Original-Lines: 28 Original-X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: bridgekeeper.physik.uni-ulm.de X-Face: .*T0'iU(sujq_j9\J>-d4fg;N/1++U#U$_5ii6k.=|"-n'?5O:Hyz&wi'-!I~,}7~GgT=0S /&-R5sbkNy5+Xo1y{Tw2KKxi@Xh"g@]Qc|.U<*]WDd)qvGowFDvfU1F]{EDho:7P0@|oOD=Bc{K4?> WP68K[Mx:}=`ZT'6g4'f+g?;`vri2!)xGy}3:=l'(/Cea0l4lo^H5#@/Z3ev Mail-Copies-To: nobody User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux) Cancel-Lock: sha1:6OQl0O656sMoLrm11284YQabIMY= X-Spam-Score: -2.6 (--) Precedence: bulk Original-Sender: ding-owner@lists.math.uh.edu Xref: news.gmane.org gmane.emacs.gnus.general:63820 Archived-At: On Fri, Oct 13 2006, Andreas Seltenreich wrote: >> I'm not sure if this message is legal according to RFC 2440. In 6.2 >> it states that Armor Headers are followed by a blank line, which is >> defined as "zero-length, or containing only whitespace", however in >> 7. it uses the term "empty line" when describing Armor Headers in >> cleartext signatures. >> >> IMHO we should follow "be liberal in what you accept" here, especially >> since GnuPG considers the message legal. Should I apply the attached >> patch to v5-10 and HEAD? Can anyone imagine regressions? > > I just realized that with the current behavior, an attacker could > completely replace the text within Gnus' signed-message markup with > his own message without interfering with the verification process. So > I guess it is hard to make the situation worse... Will commit the > patch. Thanks. I'd suggest to add a rather detailed explanation about this problem and the relevant RFC in `mm-uu-pgp-signed-extract-1'. Bye, Reiner. -- ,,, (o o) ---ooO-(_)-Ooo--- | PGP key available | http://rsteib.home.pages.de/