GPG PGP S/Mime vulnerability

Anthony E. Greene agreene@pobox.com
Thu Aug 9 14:53:02 2001


On Thu, 9 Aug 2001, Julia A. Case wrote:

>Quoting Anthony E. Greene (agreene@pobox.com):
>> I think he means the From, To, Date, and Subject headers, all of which are
>> known to the mail client at the time of composition. If mail clients
>> inserted this data into the message before calling PGP, that would be an
>> automated solution to the problem, assuming these headers had enough
>> specific information to be of any help.
>>
>
>I'm still to sure this would work well, I mean do you require that the
>From: address match one of the addresses in the signing key? The
>previously indicated methods of making sure you don't sign ambigous mails
>seems the better choice.
It is better not to sign ambiguous messages. The From header would not have to match the signing key. That header, and the others, would be added to the text of the message itself to reduce the ambiguity of the message. Tony -- Anthony E. Greene <agreene@pobox.com> <http://www.pobox.com/~agreene/> PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D Chat: AOL/Yahoo: TonyG05 Linux. The choice of a GNU Generation. <http://www.linux.org/>