In article
<1D0mNvhgL7vfSzrdCLrTIFkAk7ulKhb6vw3yQiKdVjP2dxJqF4OZiEzUSsPLhXjiLE3n5NyO9mCP-uVdfyR6FyVQvEsUeoAmGcM4Qj46uR4=@emersion.fr>
you write:
PGP signatures (and S/MIME signatures) are normally applied and
verified by the end-user mail programs. They're in the message body
and the changes that list managers typically make, tagging the
signature or adding body headers or footers, are unlikely to break a
PGP signature.
I can think of ways a ML can change a PGP-signed message to make it
invalid. Adding a footer to all inline text parts for instance.
Hypothetically, I can think of all sorts of things a mailing list
package could do. Realistically, they don't. When they put a tag at
the end they either put it at the end of the single text part or they
wrap the contents message and add a separate part for the footer. Or
if it's multipart/signed, it just wraps the whole thing.
How often have you actually seen a PGP-signed message go through a
mailing list and have the signature get broken on the way?
I know that Sympa has code to do various things with S/MIME. There is
Mailman-PGP but I don't get the impression it's used very much and it looks
like it has different goals, PGP encrypting mail to and from the list.
https://gitlab.com/mailman/mailman-suite/-/issues/13
(My goal isn't to necessarily block messages with a bad PGP signature,
but rather display the PGP verification result in the mailing list
archives UI.)
This seems rather counter to the goals of PGP, in that you're depending
on random third parties to reliably tell you that it's OK that a PGP
signature is broken.
R's,
John
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822