[Enigmail] MIME multipart/signed and the risk of followon MIME parts
Patrick Brunschwig
patrick at mozilla-enigmail.org
Tue May 5 23:49:28 PDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Daniel Kahn Gillmor wrote:
> it gets weirder!
>
> On 05/05/2009 12:01 PM, Daniel Kahn Gillmor wrote:
>> *-+ Content-Type: multipart/mixed (A)
>> +--+ Content-Type: multipart/signed (X)
>> | +-- Content-Type: text/plain (Y)
>> | +-- Content-Type: application/pgp-signature (Z)
>> +-- Content-Type: text/plain (disposition: inline) (B)
>>
>> (B) in this case is the mailing list footer.
>
> I tried crafting a message like this, but with additional injected text
> (C) above the signed part (X):
>
> *-+ Content-Type: multipart/mixed (A)
> +-- Content-Type: text/plain (disposition: inline) (C)
> +--+ Content-Type: multipart/signed (X)
> | +-- Content-Type: text/plain (Y)
> | +-- Content-Type: application/pgp-signature (Z)
> +-- Content-Type: text/plain (disposition: inline) (B)
>
> In this case, icedove displays C<hr>Y<hr>B, but no enigmail header
> appears at all, and the MUA does not appear to be aware that any part of
> the message itself was signed.
>
> Is this intentional? What should enigmail do in this scenario where
> only a section of the message is signed?
It's not intentional. The problem is that the MIME structure information
given by Thunderbird is insufficient, thus Enigmail can't detect the
signed part.
- -Patrick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEVAwUBSgEy93cOpHodsOiwAQhv8wf/c8IJMN0SU298xmlsy+COxJy63xU7BjAn
/ghRkxWbe6rkXycaWPhqKiBSY9ojXSFjNbp7X9P0G7/ImObe7oJkrX9WM3rSAWAs
KvXsNuhmq+3kZ7rCrvHIUqSeDxL3RdTRQCyZ+WSWWKrVxg4HfL3JIYVI16ZOUPFv
BB+d3Tapv7lNRY0xDnB7Ra8fD+LKVgMmWaEGaDIqb+J8vFz5EO7LPBdENismeJZm
S0j/2wPX0+AvDYN0IEhVCvq93IXe1AYcgxVUSoOOz7feJWE9i7/zxKBSYHW4WdJd
K6az3SuAq8EkPtFVvzpgUzNQKpm5rZqwdgw7ek6T1AWiKzwyGegtDg==
=eQLW
-----END PGP SIGNATURE-----
More information about the Enigmail
mailing list