Signing (and Encrypting) Mails with gpg like DKIM

Andrew Gallagher andrewg at andrewg.com
Sun Sep 1 12:24:40 CEST 2024


On 31 Aug 2024, at 23:35, T. S. <tfasnetamot at emailn.eu> wrote:
> 
> Hello,
> 
> after looking into DKIM details, I started searching, why the same procedure cannot be used for gpg?
> With gpg a lot of people from get confused, when they receive signed mails either because of the -----BEGIN PGP SIGNED MESSAGE----- strings, or because the unknown attachments in MIME message.
> 
> When now looking to DKIM, this looks much more advanced. There is a Header in the mail, containing the signature all details to the signature and information about header items included in the signature:
<snip>
> Is somethings similar available for GPG/PGP?
> 
> Currently I found nothing, but I expect that this could help for much better acceptance for signed mails.  Receivers, who don't know anything about gpg getting not confused, as the Header is totally invisible.
> With such an implementation I would start again sending all my mails automatically signed, as I have not longer to answer questions about my weird looking mails.

You’re essentially talking about defining a new cleartext signing mechanism, so that people using PGP-unaware mail clients can remain blissfully unaware, while also allowing for a graceful upgrade to signed mail for those who can.

Unfortunately, history has taught us that any cleartext sent over email *will* be mangled, and this will break the signature. MTAs are in general really bad at preserving the content of email messages. The only reliable way we know of to protect your signed plaintext is to encode it in something more robust, such as base64. Even then, if it is encoded as a base64 MIME part, MTAs have been known to mangle the MIME headers, which breaks the signature. And if you don’t sign over the MIME headers, your email is dangerously malleable (see efail). 

So for the foreseeable future at least, it seems you can have trustworthy signed emails or you can have backwards-compatible cleartext signing, but not both. 

A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240901/73643277/attachment.html>


More information about the Gnupg-users mailing list