PGP signatures

PPS. On a completely unrelated note, did we ever decide whether or not
we’re allowed to pgp sign messages on the mailing list? It’s mildly
annoying to have to turn off message signing for this list all the time
(yes, I know I can just do a mutt hook and forget about it, but I prefer
signing all my messages).

Is anyone going to make a decision on this? I’m getting pretty sick of the
attachments but can live with the inline noise.

Gavin

···

From: “Paul Duncan” pabs@pablotron.org

From: “Paul Duncan” pabs@pablotron.org

PPS. On a completely unrelated note, did we ever decide whether or not
we’re allowed to pgp sign messages on the mailing list? It’s mildly
annoying to have to turn off message signing for this list all the time
(yes, I know I can just do a mutt hook and forget about it, but I prefer
signing all my messages).

Is anyone going to make a decision on this? I’m getting pretty sick of
the
attachments but can live with the inline noise.

Gavin

Perhaps the mailing list software could reformat the messages that come from
outlook express the way they’re supposed to look, although it is kind of
convoluted to add code to one piece of software to make up for the problems
in another.

Carl

···

----- Original Message -----
From: “Gavin Sinclair” gsinclair@soyabean.com.au
To: “ruby-talk ML” ruby-talk@ruby-lang.org
Sent: Wednesday, November 06, 2002 6:14 PM
Subject: PGP signatures

For some reason my mail reader uses attachments instead of armored ascii…
anyone out there using sylpheed know how to change this?

···

On Thu, 7 Nov 2002 10:14:03 +0900 “Gavin Sinclair” gsinclair@soyabean.com.au wrote:

From: “Paul Duncan” pabs@pablotron.org

PPS. On a completely unrelated note, did we ever decide whether or not
we’re allowed to pgp sign messages on the mailing list? It’s mildly
annoying to have to turn off message signing for this list all the time
(yes, I know I can just do a mutt hook and forget about it, but I prefer
signing all my messages).

Is anyone going to make a decision on this? I’m getting pretty sick of the
attachments but can live with the inline noise.

Gavin


To call me “awesome” is an understatement.

From: “Gavin Sinclair” gsinclair@soyabean.com.au

Is anyone going to make a decision on this? I’m getting pretty sick of
the
attachments but can live with the inline noise.

Gavin

Perhaps the mailing list software could reformat the messages that come from
outlook express the way they’re supposed to look, although it is kind of
convoluted to add code to one piece of software to make up for the problems
in another.

Carl

Messages coming from Outlook is not the issue here. It’s PGP signatures, which
are rendered in Outlook and Outlok Express (any others?) as either attachments,
so you can’t read the message directly - very annoying), or inline text
signatures, which are unnecessary clutter.

The issue is independent of email clients used at either end, although some
data would be handy. Since Oct 1, the PGP signed messages come from:

INLINE
KMail 1.4.3 (Michael Libby, Holden Glova)
Mozilla (Lyle Johnson, Count Zero, Ben Schumacher)
Sylpheed 0.8.5 (Martin Brown)

ATTACHMENT
Mutt 1.4 (Paul Duncan, Eric Hodel, Philipp Meier)

It is interesting to see which email clients are producing the PGP signatures,
since these clients are obviously adept at receiving them - without attachments
or inline clutter.

What I do not know, and cannot determine, is how all the other clients in use
out there handle these messages.

Gavin

PS. Paul, Eric, and Philipp: any chance you can switch to inline PGP
signatures, at least for this list? Come on, I know mutt can do anything!

···

From: “Carl Youngblood” carl@ycs.biz

From: “Carl Youngblood” carl@ycs.biz

[snippage]

Messages coming from Outlook is not the issue here. It’s PGP signatures, which
are rendered in Outlook and Outlok Express (any others?) as either attachments,
so you can’t read the message directly - very annoying), or inline text
signatures, which are unnecessary clutter.

The issue is independent of email clients used at either end,

Not exactly, as I “understand” it… :slight_smile:

One of the ‘mutt’ authors, a MIME RFC author as well, is a member of my LUG.
When I switched from ‘pine’ to ‘mutt’ about a year ago, I had many questions about
using ‘pgp’/‘gpg’ with ‘mutt’. The upshot is, a signed message should be sent as
two attachments, body text and signature. It’s upto the client on the receiving
end to present the attachments as desired.

although some data would be handy. Since Oct 1, the PGP signed messages come from:

INLINE
KMail 1.4.3 (Michael Libby, Holden Glova)
Mozilla (Lyle Johnson, Count Zero, Ben Schumacher)
Sylpheed 0.8.5 (Martin Brown)

Hmmm… I just started using ‘sylpheed’ recently…
looks like I’m going to have to check the preferences.

ATTACHMENT
Mutt 1.4 (Paul Duncan, Eric Hodel, Philipp Meier)

It is interesting to see which email clients are producing the PGP
signatures, since these clients are obviously adept at receiving them -
without attachments or inline clutter.

What I do not know, and cannot determine, is how all the other clients in use
out there handle these messages.

Both ‘mutt’ and ‘sylpheed’ check the signatures against the local public key ring,
(and optionally can retreive the key from the net), notify you of the result, and
present the text body to the user. I forget exactly the ‘pine’ procedure, but
it does present the text body to the user.

Gavin

PS. Paul, Eric, and Philipp: any chance you can switch to inline PGP
signatures, at least for this list? Come on, I know mutt can do anything!

Isn’t there a windows client that allows you to call the shots?


                        - Martin J. Brown, Jr. -
                        - mjbjr@beaudesign.com -

  Public PGP Key ID: 0xDB184F7B keyserver: http://certserver.pgp.com/
···

On Thu, 7 Nov 2002 10:48:14 +0900 “Gavin Sinclair” gsinclair@soyabean.com.au wrote:

Gavin Sinclair wrote:

The issue is independent of email clients used at either end, although some
data would be handy. Since Oct 1, the PGP signed messages come from:

INLINE
KMail 1.4.3 (Michael Libby, Holden Glova)
Mozilla (Lyle Johnson, Count Zero, Ben Schumacher)
Sylpheed 0.8.5 (Martin Brown)

ATTACHMENT
Mutt 1.4 (Paul Duncan, Eric Hodel, Philipp Meier)

I can stop signing most messages by default, I just started doing so
because it seemed like the right thing to do. Of course I’d rather see
people push the developers of their e-mail clients to improve the
software so that it does something more intelligent!

It is interesting to see which email clients are producing the PGP signatures,
since these clients are obviously adept at receiving them - without attachments
or inline clutter.

Yes. Mozilla Mail makes this very non-intrusive; I now use it for both
Linux and Windows, since I still live in a cross-platform world :wink: I’m
guessing that the other e-mail clients you listed do a good job with
this as well (I know that several of my co-workers use KMail and swear
by it).

Messages coming from Outlook is not the issue here. It’s PGP
signatures, which are rendered in Outlook and Outlok Express (any
others?) as either attachments, so you can’t read the message directly

  • very annoying), or inline text signatures, which are unnecessary
    clutter.

In all honesty this is a problem with your mail reader. Hardly the
sender’s fault. Being able to sign messages and prove you sent them is
pretty important, even on public mailing lists, and asking people not to
because your client is broken is unacceptable, in my opinion.

I suggest to send a bug report to your vendor. If OE knows to show
image/jpeg inline, then it should sure as hell know to show text/plain
inline too :)p

The issue is independent of email clients used at either end, although some
data would be handy. Since Oct 1, the PGP signed messages come from:

INLINE
KMail 1.4.3 (Michael Libby, Holden Glova)
Mozilla (Lyle Johnson, Count Zero, Ben Schumacher)
Sylpheed 0.8.5 (Martin Brown)

ATTACHMENT
Mutt 1.4 (Paul Duncan, Eric Hodel, Philipp Meier)

It is interesting to see which email clients are producing the PGP
signatures, since these clients are obviously adept at receiving them

  • without attachments or inline clutter.

PGP/MIME is the current standard method for signing messages, and has
been for years. The inline format you mention is in fact the old acsii
armour technique which is obsolete and has been for about 5 years :slight_smile:

It’s usually used by clients with hopeless MIME support, as seen above
:wink:

Anyway it is, of course, perfectly possible to use the old method with
mutt, as you can see from this method - it’s just old obsolete and
broken and it means that people with good mail clients that do support
MIME properly get annoyed, because their custom actions for PGP/MIME
messages don’t get fired by inlined messages.

Tom.


.^. .-------------------------------------------------------.
/V\ | Tom Gilbert, London, England | http://linuxbrit.co.uk |
/( )\ | Open Source/UNIX consultant | tom@linuxbrit.co.uk |
^^-^^ `-------------------------------------------------------’

···
  • Gavin Sinclair (gsinclair@soyabean.com.au) wrote:

“Gavin Sinclair” gsinclair@soyabean.com.au writes:

so you can’t read the message directly - very annoying), or inline text
signatures, which are unnecessary clutter.

I’m not clear about what an inline text signature is. Is it something
like what this post has?

YS.

Martin J. Brown, Jr. wrote:

Isn’t there a windows client that allows you to call the shots?

Mozilla Mail will – on Windows or Linux (or I guess any of its other
supported platforms). I use the Enigmail plugin for this purpose.

Unsigned (until the issue is resolved),

Lyle

P.S. Without a digital signature, you just have to trust that it’s
really me :wink:

The issue is independent of email clients used at either end,

Not exactly, as I “understand” it… :slight_smile:

One of the ‘mutt’ authors, a MIME RFC author as well, is a member of my LUG.
When I switched from ‘pine’ to ‘mutt’ about a year ago, I had many questions
about
using ‘pgp’/‘gpg’ with ‘mutt’. The upshot is, a signed message should be
sent as
two attachments, body text and signature. It’s upto the client on the
receiving
end to present the attachments as desired.

Interesting.

[snip]

Isn’t there a windows client that allows you to call the shots?

Funny that if someone sends me a .JPG attachment, OE displays it inline, but
the .TXT attachments do not :frowning:

I might give Sylpheed a go. I’ve tried several other clients for Windows:
mutt, pine, Mahogany, and was never able to get it working to my satisfaction.
OE may not be the Rolls Royce of email clients, but at least it works with a
minimum of fuss.

Gavin

···

From: “Martin J. Brown, Jr.” mjbjr@beaudesign.com

I can empathize with the frustration of dealing with PGP/MIME messages
in a mail client that doesn’t understand them; that frustration drove me
to switch mail clients a couple months ago. (For the statistics
gatherers, I’m now using Evolution
http://www.ximian.com/products/evolution/, which sends signed or
encrypted messages using PGP/MIME.)

However, I believe the response to that frustration (if any) should be
directed to the email client vendors/authors. The RFCs relating to this
are 6 and 7 years old. Please refer to RFC 1847 "Security Multiparts
for MIME: Multipart/Signed and Multipart/Encrypted"
http://www.ietf.org/rfc/rfc1847.txt, RFC 1991 “PGP Message Exchange
Formats” http://www.ietf.org/rfc/rfc1991.txt, and RFC 2015 "MIME
Security with Pretty Good Privacy (PGP)"
http://www.ietf.org/rfc/rfc2015.txt. Admittedly, there have been
updates, such as RFC 3156 http://www.ietf.org/rfc/rfc3156.txt.

Granted, it’s probably easier to get an individual on the list to change
his or her practices than to get an email client vendor to change its
product, but in my opinion, the individual is doing something
reasonable, and the vendor is not. Getting the vendor to change (or
changing mail clients) is also more reliable. Like others have
mentioned in this thread, I sign my messages as a standard practice.
I’ll try to refrain from doing so on this list, but I’ll probably forget
sometimes. Also, as the community grows, this issue will come up
repeatedly, sparking threads of various lengths each time. Who knows;
maybe the vendor is already considering it, and a cordial suggestion
might sway them to raise the priority.

I’ll endeavor to abide by whatever the community decides, but I’d prefer
to see the list policy be silent regarding PGP/GPG signatures. That is,
“Sign your messages or don’t, we don’t really care as long as you’re
’talking’ about Ruby.”

Xandy

Being able to sign messages and prove you sent them
is pretty important, even on public mailing lists, …

Maybe to some, but this is hardly a universal truth.

I’ve been reading mailing lists avidly for 15+ years, and I can’t
think of a single time that I’ve had the need for a signature to
verify the originator’s identity. , maybe it’s the types of
lists I read. Content is more important to me than author.

···

=====

Yahoo IM: michael_s_campbell


Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2

Correct!

···

From: “Yohanes Santoso” ysantoso@jenny-gnome.dyndns.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

“Gavin Sinclair” gsinclair@soyabean.com.au writes:

so you can’t read the message directly - very annoying), or inline text
signatures, which are unnecessary clutter.

I’m not clear about what an inline text signature is. Is it something
like what this post has?

YS.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 http://mailcrypt.sourceforge.net/

iD8DBQE9yxHAEOgCkEGX4MIRAji/AJ4m2RKouJrzPQb6bMDRFYGZR9pwBQCgihnk
7apz5nqgR0VuxnNgtGlC9Pk=
=zw2J
-----END PGP SIGNATURE-----

Martin J. Brown, Jr. wrote:

Isn’t there a windows client that allows you to call the shots?

Mozilla Mail will – on Windows or Linux (or I guess any of its other
supported platforms). I use the Enigmail plugin for this purpose.

Unsigned (until the issue is resolved),

Lyle

P.S. Without a digital signature, you just have to trust that it’s
really me :wink:

You could just write some rubbish down the bottom and I wouldn’t be able to
tell the difference :slight_smile:

Seriously, I’ve got no idea how digital signatures work, so I’ve always gone on
trust anyway.

Gavin

···

From: “Lyle Johnson” lyle@users.sourceforge.net

Martin J. Brown, Jr. wrote:

Isn’t there a windows client that allows you to call the shots?

Mozilla Mail will – on Windows or Linux (or I guess any of its other
supported platforms). I use the Enigmail plugin for this purpose.

Unsigned (until the issue is resolved),

Lyle

P.S. Without a digital signature, you just have to trust that it’s
really me :wink:

Imposter!!!

What have you done with the REAL Lyle Johnson?

HF

···

----- Original Message -----
From: “Lyle Johnson” lyle@users.sourceforge.net
Newsgroups: comp.lang.ruby
To: “ruby-talk ML” ruby-talk@ruby-lang.org
Sent: Wednesday, November 06, 2002 10:27 PM
Subject: Re: PGP signatures

I can empathize with the frustration of dealing with PGP/MIME messages
in a mail client that doesn’t understand them; that frustration drove
me to switch mail clients a couple months ago.

This alone makes signing worthwhile. A common demonstration of how poor
a client is which helps people to switch to something less lame is a
Good Thing :wink:

(For the statistics gatherers, I’m now using Evolution
http://www.ximian.com/products/evolution/, which sends signed or
encrypted messages using PGP/MIME.)

Statistics gatherers would use User-Agent/X-Mailer :slight_smile:

<Resists temptation to write a graphing tool showing the activity of
UA’s using rrdtool over his 1.2GB of mail>

I was going to do this for my SPAM, actually… hum, don’t suppose
anyone’s written a nice Rubyish API to rrdtool?

However, I believe the response to that frustration (if any) should be
directed to the email client vendors/authors. The RFCs relating to
this are 6 and 7 years old.
[…]
in my opinion, the individual is doing something reasonable, and
the vendor is not. Getting the vendor to change (or changing mail
clients) is also more reliable.

I agree; we shouldn’t be making concessions for UA’s which fail to
implement MIME correctly after squillions of revisions and almost a
decade of available development time.

I’ll try to refrain from doing so on this list, but I’ll probably
forget sometimes.

Mutt users can use a folder-hook, ala:

folder-hook . crypt_autosign=yes
folder-hook lists/ruby-talk crypt_autosign=no

And of course you can set anything you like with this; so if you run a
patch to use inline PGP signing, you can enable that for ruby-talk too.

Of course, instead of everyone else reconfiguring their mailers, maybe
all those Outlook* users could write a small filtering POP3 proxy and
convert PGP/MIME to inline, or change the Content-Type of
multipart/signed messages to something else Outlook can cope with
properly.

Such a proxy could also escape 'begin ’ with '>begin ’ or so too, to
escape people triggering Outlook’s dodgy attachment handling, not to
mention filter out stuff which might be exploitable… :slight_smile:

Who knows; maybe the vendor is already considering it, and a cordial
suggestion might sway them to raise the priority.

Yup. Maybe forwarding every signed message that fails to display to
their support team with a “Outlook* does not display this properly” will
encourage them :wink:

I’ll endeavor to abide by whatever the community decides, but I’d
prefer to see the list policy be silent regarding PGP/GPG signatures.
That is, “Sign your messages or don’t, we don’t really care as long as
you’re ‘talking’ about Ruby.”

Agreed. It’s not that hard to open an attachment on 1 out of 100
messages (probably only a fraction of which you’ll necessarily be
interested in anyway, unless you read the body of every message);
Outlook users can concider it their pennence for inflicting broken
threading, truely broken MIME, incorrect charsets, TOFU posting and HTML
email on the rest of us :slight_smile:

···


Thomas ‘Freaky’ Hurst - freaky@aagh.net - http://www.aagh.net/

If I could drop dead right now, I’d be the happiest man alive!
– Samuel Goldwyn

I vote for that!

···

On Thursday, November 7, 2002, at 04:07 AM, Xandy Johnson wrote:

I’ll endeavor to abide by whatever the community decides, but I’d
prefer
to see the list policy be silent regarding PGP/GPG signatures. That
is,
“Sign your messages or don’t, we don’t really care as long as you’re
‘talking’ about Ruby.”

Being able to sign messages and prove you sent them
is pretty important, even on public mailing lists, …

Maybe to some, but this is hardly a universal truth.

Fair enough, but just because you don’t believe in doing it doesn’t mean
you should be able to stop other people doing it due to a bug in the
email client you use, right? :slight_smile:

I’ve been reading mailing lists avidly for 15+ years, and I can’t
think of a single time that I’ve had the need for a signature to
verify the originator’s identity. , maybe it’s the types of
lists I read. Content is more important to me than author.

I guess you don’t read linux-kernel then, the forged messages from Linus
around april time saying “I quit” are an example that easily springs to
mind :slight_smile:

But actually, there’s more to it than that. If content is more important
to you, don’t you want to be sure that the content of the message you’re
reading is the same content the author originally wrote and sent?

Here’s a quotation from an article about the subject, which gives you
one perspective on it at least:
http://www.itworld.com/nl/lnx_sec/05282002/pf_index.html

Some folks ask me why I sign everything I write, and the answer is
simple: I need to. I'm in the computer security business, and, as
such, I send a boatload of emails such as directives to users,
administrators, and co-workers. Because of this, messages appearing
to be from me have a good chance of being acted upon. By digitally
signing everything, even stupid jokes I send my sister, I've
established a pattern that says, "If it ain't signed, it ain't me."
Those with whom I discuss important topics can read and verify the
PGP signature automatically and know when the signature is valid. If
it's not, then the message is not authentic, they'll contact me to
let me know something is amiss, and won't act on the information
therein.

There’s more commentary here:
http://kurtas.ai.mit.edu/pgpinfo.html
http://www.philzimmermann.com/essays.shtml
http://www.google.com/search?q=pgp+signing+emails

Email is an inherently insecure means of communication. Emails can be
intercepted at many points during transmission and sending an email that
appears to come from someone else is all too easy.

Tom.


.^. .-------------------------------------------------------.
/V\ | Tom Gilbert, London, England | http://linuxbrit.co.uk |
/( )\ | Open Source/UNIX consultant | tom@linuxbrit.co.uk |
^^-^^ `-------------------------------------------------------’

···