<<< Date Index >>>     <<< Thread Index >>>

Re: definition of signature separator



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday, January 20 at 05:58 PM, quoth Patrick Shanahan:
> Then I guess I have probably had a lot of corruption that I didn't 
> even realize  :^).  But the posts were not broken apart or grabled 
> as to be unreadable or unusable.

Well, sure, but corruption is corruption. For example, that message 
was signed with a Domain-Key signature and with a DKIM signature. When  
your email system received it, it was uncorrupted, and you could have 
checked the validity of that signature to ensure that my email server 
sent it. But once it's delivered (and thereby corrupted), that message 
may never be re-validated because its contents have been modified. 
Cryptographically, you have no way of know whether that was the ONLY 
change (other than by guessing that the wocka was added, removing it, 
and attempting validation then). There's no sure-fire way of knowing 
that that's what was changed. I could just as easily have sent a 
message with the > and you'd have never known.

The same is true for gpg-signed messages. Your email software secretly 
modified the content of the message without your knowledge, and 
therefore that modified message will never appear to have a valid 
signature, but other than by guess-and-check methods, you have no way 
of knowing what about that message changed between the time it was 
signed and the time you tried to validate it.

> but the ">" was inserted by procmail,
>
>  If there is no Content-Length: field or the -Y option has been 
>  specified and procmail appends to regular mailfolders, any lines in 
>  the body of the mes‐ sage that look like postmarks are prepended 
>  with >' (disarms bogus mailheaders).  The regular expression that is 
>  used to search for these postmarks is:    \nFrom '
>
> and, in this case should be deamed harmless.

It all depends on your definition of harmless. Will you care? Probably 
not - you can read it even though it's been modified. But humans are 
great like that. That's why spammers send things like advertisements 
for v1*gRa---because *we* can see what that is, but computer programs 
have a tough time seeing what that is. If it's important that a 
computer program understand the content of the email (such as when 
doing parsing of fixed-content messages, or when sending rfc822 
attachments) or if it's important that the message has not changed at 
all (such as when doing cryptographic signature validation), then you 
can see why that kind of thing might not be tolerable.

> But much less so than mailing list software that mangles the 
> "Reply-To:" header  :^)  but that is not an mbox problem.

Well, sure, but if we're just going to make comparisons to larger 
problems, we'll never get anywhere.

> I guess I just do not see a great enough problem to change, but I 
> *am* getting along in *years*.

Well, if it doesn't ever bother you, I don't see why you would change 
either.

For me, these things are important because I *do* use encryption and 
cryptographic signatures in my daily emailing, and I run email servers 
for people who use it for more crucial things than I do. And, for 
whatever reason, it breaks mutt's ability to properly highlight 
signatures (because the >From line then appears to be a quoted 
line)---which I've never knew, because I don't use mbox.

~Kyle
- -- 
No man should escape our universities without knowing how little he 
knows.
                                               -- J. Robert Oppenheimer
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iEYEARECAAYFAkl2XqgACgkQBkIOoMqOI15wDgCfXykrS007CW15YuNxlOVNGeVx
aZ4AnRGZBK5Ik0H7raqKXPFzXMWG5KZP
=8nQQ
-----END PGP SIGNATURE-----