<<< Date Index >>>     <<< Thread Index >>>

Re: PGP output lines...



On Fri, Oct 31, 2003 at 09:30:59AM -0800, Rob Reid wrote:

> At  3:57 PM PST on October 30 David Yitzchak Cohen sent off:
> > On Thu, Oct 30, 2003 at 05:42:05PM -0500, Todd wrote:
> > 
> > > If you aren't going to look at the output of gpg, then you could just
> > > 
> > >     :unset pgp_verify_sig
> > 
> > That's not what he means.  (No, I can't read his mind.  I just remember
> > the last time he asked this question ... and my answer, too. . .)
> 
> Was that the same thread where I pointed out that there's more behind the
> lines than appears at first glance?

possible ... not sure off-hand, though

> > David: Please file a wishlist "bug" report.  Coding a patch to implement
> > that change is trivial for anybody familiar with the relevant code.
> > If you file the bug report and nobody else steps forward, email me and
> > I'll hack up a patch just out of spite.
> 
> If by trivial you include checking if the sender put fake "Good signature"
> lines into the plaintext, fine.  And don't forget the cases where some, but
> not all, of the plaintext (more likely attachments) is signed.

I don't include checking that.  I assume that if you don't see the "S"
in the top left corner, you'll know it ain't signed ... and if you see a
"s" instead, you'll know verification failed.  The PGP output is merely
a convenience feature.  I'd just as soon have the "convenience feature"
of four extra lines on my display to help display the top of the message.
Just for the extra little tidbit of info, though, it's nice to have
a line from the PGP output included verbatim at the top of the message
informing me of _whose_ valid signature is on that message.  Note that the
output of PGP can't be fooled by any malicious message if you take care
to view-attachment any part that claims to be signed before trusting it
to have been signed by the "sender" (which is no worse than what stock
Mutt guarantees without colors - and there's no reason why you can't
have gpg.mutt output terminal control codes to color itself, anyway).

Also, if this patch is implemented by somebody who cares about doing it
properly, it'll be an option like pgp_verbosity which you can set to 0
(no crap at all), 1 (only PGP output), 2 (1 + message introducing PGP
output), 3 (2 + message terminating signed data), and 4 (3 + all PGP
messages in stock Mutt).  The advantage there is that you can then use
all your fun hooks and/or profiles (wanna_read_mail, paranoid, etc.) to
muck with the setting as often as you like.

 - Dave

-- 
Uncle Cosmo, why do they call this a word processor?
It's simple, Skyler.  You've seen what food processors do to food, right?

Please visit this link:
http://rotter.net/israel

Attachment: pgp54fMMwvURk.pgp
Description: PGP signature