Signing (and Encrypting) Mails with gpg like DKIM
Werner Koch
wk at gnupg.org
Mon Sep 2 09:00:53 CEST 2024
On Sat, 31 Aug 2024 18:29, T. S. said:
> either because of the -----BEGIN PGP SIGNED MESSAGE----- strings, or because
> the unknown attachments in MIME message.
Don't use those legacy inline PGP encryption. Use PGP/MIME, a 28 year
old standard (RFC-2015). You should give that unnamed attachment a
name, for example
Content-Type: application/pgp-signature;
name="openpgp-digital-signature.asc"
which clearly shows what kind of attachment this is.
> When now looking to DKIM, this looks much more advanced. There is a Header in
> the mail, containing the signature all details to the signature and
<the_usual_rant> You may want to go back to the year ~2000 when DKIM was
first presented at the IETF in Paris. It was then a quick hack from the
sendmail authors and it took only a few hours until an attack on this
was found. DKIM also broke with the long standing rule of being able to
work in a pipeline (iirc, this is called an online algo these days).
Instead of doing all that DKIM stuff it would have been easier to
directly use S/MIME or PGP/MIME and include copies of important headers
in a signed attachment. But well, attachments are ugly for some people.
</>
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240902/2f04bcc9/attachment.sig>
More information about the Gnupg-users
mailing list