Signing headers (was Re: Evolution signatures)

darren chamberlain dlc@users.sourceforge.net
Wed Aug 6 22:15:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* Carl L. Gilbert <lamont_gilbert at rigidsoftware.com> [2003-08-06 15:27]:
> > The alternate extreme is that we throw away all the (unsigned)
> > headers and try to understand the message as best we can from what's
> > in it--who signed it, what it says, what the date stamp on the
> > signature was, etc.  I dislike that option.
> 
> This is not an extreme.  If you want a secure mail 'system' this is
> necessary.  You just need an MUA that knows YOUR subject is not where
> most subjects are but inside the encrypted portion of your mail.  SO
> when the reader knows this it can substitute the real subject once its
> decoded.

I'd like to chime in my support for this position.  In practice, there
is a difference between mail-delivery headers and content-related
headers.  The Subject header, for example, is for the user, not the MTA.
The Recieved headers, while being potentially interesting to the user,
are not part of the message the same way the that Subject is.

(darren)

- -- 
What is truth, on the experiential level, but truthfulness?
    -- Raimundo Panikkar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: This message is digitally signed and can be verified for authenticity.

iD8DBQE/MWFOzsinjrVhZaoRArW8AJkBfMzGsRPXf1fqFW/99lqdR8gvmACfR6iz
aXU3AlnTJytJqYabAi4ogAI=
=jE10
-----END PGP SIGNATURE-----