Re: definition of signature separator
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday, January 20 at 05:58 PM, quoth Patrick Shanahan:
> Then I guess I have probably had a lot of corruption that I didn't
> even realize :^). But the posts were not broken apart or grabled
> as to be unreadable or unusable.
Well, sure, but corruption is corruption. For example, that message
was signed with a Domain-Key signature and with a DKIM signature. When
your email system received it, it was uncorrupted, and you could have
checked the validity of that signature to ensure that my email server
sent it. But once it's delivered (and thereby corrupted), that message
may never be re-validated because its contents have been modified.
Cryptographically, you have no way of know whether that was the ONLY
change (other than by guessing that the wocka was added, removing it,
and attempting validation then). There's no sure-fire way of knowing
that that's what was changed. I could just as easily have sent a
message with the > and you'd have never known.
The same is true for gpg-signed messages. Your email software secretly
modified the content of the message without your knowledge, and
therefore that modified message will never appear to have a valid
signature, but other than by guess-and-check methods, you have no way
of knowing what about that message changed between the time it was
signed and the time you tried to validate it.
> but the ">" was inserted by procmail,
>
> If there is no Content-Length: field or the -Y option has been
> specified and procmail appends to regular mailfolders, any lines in
> the body of the mes‐ sage that look like postmarks are prepended
> with >' (disarms bogus mailheaders). The regular expression that is
> used to search for these postmarks is: \nFrom '
>
> and, in this case should be deamed harmless.
It all depends on your definition of harmless. Will you care? Probably
not - you can read it even though it's been modified. But humans are
great like that. That's why spammers send things like advertisements
for v1*gRa---because *we* can see what that is, but computer programs
have a tough time seeing what that is. If it's important that a
computer program understand the content of the email (such as when
doing parsing of fixed-content messages, or when sending rfc822
attachments) or if it's important that the message has not changed at
all (such as when doing cryptographic signature validation), then you
can see why that kind of thing might not be tolerable.
> But much less so than mailing list software that mangles the
> "Reply-To:" header :^) but that is not an mbox problem.
Well, sure, but if we're just going to make comparisons to larger
problems, we'll never get anywhere.
> I guess I just do not see a great enough problem to change, but I
> *am* getting along in *years*.
Well, if it doesn't ever bother you, I don't see why you would change
either.
For me, these things are important because I *do* use encryption and
cryptographic signatures in my daily emailing, and I run email servers
for people who use it for more crucial things than I do. And, for
whatever reason, it breaks mutt's ability to properly highlight
signatures (because the >From line then appears to be a quoted
line)---which I've never knew, because I don't use mbox.
~Kyle
- --
No man should escape our universities without knowing how little he
knows.
-- J. Robert Oppenheimer
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!
iEYEARECAAYFAkl2XqgACgkQBkIOoMqOI15wDgCfXykrS007CW15YuNxlOVNGeVx
aZ4AnRGZBK5Ik0H7raqKXPFzXMWG5KZP
=8nQQ
-----END PGP SIGNATURE-----