On Fri, 05 Nov 2004 08:06:34 EST, Bruce Lilly said:
header fields makes no semantic difference. Third, if one is using PGP
as recommended (RFC 3156), refolding of a MIME-part field within
a message/rfc822 part that is not within a signed multipart (RFC 1847)
will have no effect on signature validity.
There *was* an enclosing signed multipart - which is how I found
out about the issue. The original structure was:
(rfc822 headers in question)
The 'headers in question' had 2 things done to them: (1) the removal
of a non-822 'From ' header and (2) the wrapping of long Received:
lines into multiple shorter lines.
The modifications to the message/rfc822 headers invalidated the
outer signature. The inner signature survived just fine, as the
signature doesn't cover the inner message's headers.
2) Am I at fault for including the mbox-style 'From ' line,
OK.. I'll look at the MH code about fixing that one.
message was signed and wrapped? If a signature was
improperly computed on content not in canonical form (CRLF
line endings), it is virtually guaranteed to be invalid.
Even modulo the 'From ' breakage, a correctly calculated signature
on canonical form won't survive software that decided to wrap a
long single-line Recieved: and make it into 3 or 4 shorter lines...
If such rewrapping is considered OK, then we really need to look
at fixing the PGP signature algorithm to consider all spans of
whitespace as equivalent (collapse down to single blank for signature
Description: PGP signature