[Enigmail] MIME multipart/signed and the risk of followon MIME parts
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue May 5 09:36:28 PDT 2009
it gets weirder!
On 05/05/2009 12:01 PM, Daniel Kahn Gillmor wrote:
> *-+ Content-Type: multipart/mixed (A)
> +--+ Content-Type: multipart/signed (X)
> | +-- Content-Type: text/plain (Y)
> | +-- Content-Type: application/pgp-signature (Z)
> +-- Content-Type: text/plain (disposition: inline) (B)
>
> (B) in this case is the mailing list footer.
I tried crafting a message like this, but with additional injected text
(C) above the signed part (X):
*-+ Content-Type: multipart/mixed (A)
+-- Content-Type: text/plain (disposition: inline) (C)
+--+ Content-Type: multipart/signed (X)
| +-- Content-Type: text/plain (Y)
| +-- Content-Type: application/pgp-signature (Z)
+-- Content-Type: text/plain (disposition: inline) (B)
In this case, icedove displays C<hr>Y<hr>B, but no enigmail header
appears at all, and the MUA does not appear to be aware that any part of
the message itself was signed.
Is this intentional? What should enigmail do in this scenario where
only a section of the message is signed?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: <http://www.mozdev.org/pipermail/enigmail/attachments/20090505/ec4adc91/attachment.bin>
More information about the Enigmail
mailing list