ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: The case against redundancy and isolation

1997-11-20 23:16:41
from [Thomas Roessler] [Permanent Link] 
On November 19 1997, Jeremey Barrett wrote:


With ASCII armored messages, it is immediately obvious to
the recipient that the message was signed or encrypted,
whether or not they have a MIME-capable mail reader. It is
also trivial, with few exceptions, to invoke pgp and
decrypt or verify the message, or to use an sdk and do it
internally.


With MIME, it is immediately obvious to the recipient that
the message was signed or encrypted, whether or not they
may have a PGP-capable mail reader.  It is also trivial to
use this non-PGP-aware software to handle PGP/MIME signed
messages correctly when replying.  


I want to be able to send secure email to people who don't
use MIME, that is a very useful feature of PGP in the
context of email, and I don't see any reason at all to not
include ASCII armoring in the draft.


I want to be able to send PGP-signed email to mailing
lists where not everybody has PGP at hand.  Nevertheless,
everybody should be able to properly handle my messages
(which might quite well include diff(1) output and similar
things).  Separating the cryptographic signature from the
message's content proper is one of the most useful
features of multipart/signed messages.


There is an awful lot of utility in ASCII armoring, and it
would be unfortunate to "standardize" it out of future PGP
implementations. Especially considering how bloody easy it
is to implement, relative to PGP/MIME.


Oh, a minimal PGP/MIME implementation just hands off the
second part of a multipart/encrypted attachment (which is
itself application/octet-stream) to pgp ands feeds it
output to the MIME parser once again.  This could even be
done with something like Metamail.  multipart/signed isn't
a problem at all for MIME implementations - if it doesn't
support PGP/MIME, the signature will be handled as an
unknown attachment which is absolutely correct.  Seeing
this from the implementor's side, doing PGP/MIME inside of
a MIME-capable MUA is more or less trivial, while hadling
application/pgp (aka ASCII armor) attachments properly
requires quite a bit of work.


Yes, PGP is about security, and requiring PGP users to use
MIME mail readers does not result in an increase in
security. Quite the opposite.

            ^^^^^^^^^^^^^^^^^^^

How do you come to this conclusion?  I'm actually quite
glad to use a MIME and PGP capable Mail User Agent.  And
yes, I'm using it from my Unix shell.  And yes, it's
freely available.


IMO ASCII-armored PGP is not a competing standard on encoding
techniques, rather it is an integral part of PGP and security.


I beg your pardon - PGP just works fine with binaryly
transmitted packet files.

tlr
-- 
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
   1280/593238E1 · AE 24 38 88 1B 45 E4 C6  03 F5 15 6E 9C CA FD DB

Attachment: pgphUucbARE04.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Armour, Jon Callas
Next by Date:  Re: Armour, Ian Brown
Previous by Thread:  Re: The case against redundancy and isolation, Ian Brown
Next by Thread:  Re: The case against redundancy and isolation, Jeremey Barrett
Indexes:  [Date] [Thread] [Top] [All Lists]