[Enigmail] MIME multipart/signed and the risk of followon MIME parts

Patrick Brunschwig patrick at mozilla-enigmail.org
Wed May 6 00:56:57 PDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ludovic Hirlimann wrote:
> On 5/6/09 8:49 AM, Patrick Brunschwig wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Daniel Kahn Gillmor wrote:
>>   
>>> it gets weirder!
>>>
>>> On 05/05/2009 12:01 PM, Daniel Kahn Gillmor wrote:
>>>     
>>>> *-+ Content-Type: multipart/mixed (A)
>>>>    +--+ Content-Type: multipart/signed (X)
>>>>    |  +-- Content-Type: text/plain (Y)
>>>>    |  +-- Content-Type: application/pgp-signature (Z)
>>>>    +-- Content-Type: text/plain (disposition: inline) (B)
>>>>
>>>> (B) in this case is the mailing list footer.
>>>>        
>>> I tried crafting a message like this, but with additional injected text
>>> (C) above the signed part (X):
>>>
>>> *-+ Content-Type: multipart/mixed (A)
>>>    +-- Content-Type: text/plain (disposition: inline) (C)
>>>    +--+ Content-Type: multipart/signed (X)
>>>    |  +-- Content-Type: text/plain (Y)
>>>    |  +-- Content-Type: application/pgp-signature (Z)
>>>    +-- Content-Type: text/plain (disposition: inline) (B)
>>>
>>> In this case, icedove displays C<hr>Y<hr>B, but no enigmail header
>>> appears at all, and the MUA does not appear to be aware that any part of
>>> the message itself was signed.
>>>
>>> Is this intentional?  What should enigmail do in this scenario where
>>> only a section of the message is signed?
>>>      
>> It's not intentional. The problem is that the MIME structure information
>> given by Thunderbird is insufficient, thus Enigmail can't detect the
>> signed part.
>>
>>    
> What's the bug number for that ?

Some of the bugs are 235482 and 248846. The problem is that there is no
reasonable interface to walk through the MIME parts of a message. See
also <https://wiki.mozilla.org/User:Jminta/Steel#steelIMessage>,
especially the comments related to steelIMessage.

- -Patrick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBSgFCx3cOpHodsOiwAQiwzAf+IjxWP3khbOWw2B86MDHI5sN9KfB6HziD
ZJM4DbOFpI8rfwuGiaqouQXT1TSS4MVajfHcSp0I3Q3eJ9ksVQ3/Vfop3I1geAN6
bO/D/w8bSlisezQTkxBdExXDxGPUuZMcvZB0/sZRA6jqKjqKbwOgrb/tXGCXs1To
0bIDleNz06c/XYBBrb6i4Lje85lpfPzVPw6zBeNkeL6b/gjUBGqQhvjR5uDpEsXu
2zYmVIJIwiILWCWwrpDuE8UmP7aHXS6GdNuUOaWhPIkRlGqsp/Gzke/3z/lcLiZo
8kfYh2mhrWtY6593mErqfMTsLR9R0Xi1w52a9/Xso4pWD8Cju3ds0w==
=0dO5
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list