[Enigmail] PGP indicates enigmail signed messages are invalid

John W. Moore III jmoore3rd at bellsouth.net
Mon Apr 13 01:44:24 PDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Moonchild wrote:

> all my peers so far have used these cyphers and hashes as well. (weren't
> those good enough, or what?)

Keyword here = "weren't"

At one time these signature hashes 'were' good enough.  No longer.  MD5
is demonstrably broken.  SHA1 has suffered man made collisions and is
teetering on the brink of crypto extinction.  RIPEMD160 is simply
another 160bit Hash and once SHA1 is completely broken the knowledge
learned from MD5 & SHA1 will be turned toward RIPEMD160.  It would be
prudent to begin migrating away from these 3 hash algorithms immediately.

As to the IDEA .dll; this algorithm is native to PGP6 and would only
need to be manually added to GnuPG installations.  Since You earlier
stated that You are using PGP6 from the command line My suspicion is
that analysis of Your messages would reveal that 3DES is the cipher used
for encryption.

- From the GnuPG Manual the --pgp6 command will accomplish:

       --pgp6 Set up all options to be as PGP 6 compliant  as  possible.
 This restricts  you  to  the  ciphers  IDEA  (if  the  IDEA plugin is
installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, and
the compression algorithms none and ZIP. This also disables
- --throw-keyids, and making signatures with  signing  subkeys  as PGP 6
does not understand signatures made by signing subkeys.
 This option implies --disable-mdc --no-sk-comment --escape-from- lines
- --force-v3-sigs.

The 'restrictions' that this compatibility option places upon GnuPG is
an indication of just how limited PGP6 is in the present.  :-\  Since
You earlier indicated that You are using Enigmail simply place --pgp6 in
the Preferences box labeled 'Additional Parameters' and these
restrictions will be enforced with every instance.

> So, it just means I've never run into anyone so far who uses RFC4880
> encryption/signing, with all the contacts I have  ;-)

Actually, the presence of broken/Bad signatures tends to indicate that
You have "run into" some correspondents using RFC compliant software.
The unverifiable signatures are most probably from GnuPG Users who
haven't restricted GPG with the --pgp6 limiter.  Because of the pains
taken to ensure backwards compatibility by the GnuPG Developers
encryption/decryption is still possible.  Public Keys carry embedded
statements [called preferences] which broadcast which ciphers/algorithms
they are compatible with.  This allows the encrypting Application to
make selections based upon mutual compatibility.

You didn't mention whether the PGP 6.5.8 version is a CKT build but if
it is this also exposes the User to an entirely different can of worms;
some of which may be expressly illegal.  I say 'may be' because I am not
conversant in Swedish law.

HTH

JOHN 8-)
Timestamp: Monday 13 Apr 2009, 04:44  --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4979: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJJ4vtlAAoJEBCGy9eAtCsPIOYH/0UT8ss7yIOjZTApugOBdn21
/E1DLa27wEf+azqbABEVnmvdt3uDOIVbG4cSwSoodM0lf93jZAghxCOIVW63zVJf
EUh4i177Dw8uGNd2nMgdMMTFBzbqd3DAnv2oNoc0GXpHFx8IqLOm6NlL2QfqTy5L
vXfZSHikTbLDfHSh8dFWxWinPRMHh9dl665mADKKIri18Qs/XkgMo4cFtA3WRZzQ
mNHsEuJMkZXDAjl2084ONFLf8BNA1irkW5RUQhbHzMHLvr6ScZu0OkwSqNoCB8ex
ZdV315dRegUnEHuzghAypCgebeQ8Lq+ECET5sEBI1+5lTPI+6YrpcpqAggg+7wQ=
=5GI9
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list