Werner Koch <wk(_at_)gnupg(_dot_)org> writes:
[Implications of a wildcard micalg parameter]
I don't think we should break one of the basic design goals of MIME.
Agreed.
I wouldn't suggest that if I had not observed that the parameter isn't
set correctly by many users.
However, it is pretty easy to set micalg to the correct value, given
that a) it should nearly always be SHA1 today,
Okay, that's certainly a point. But there will always be a certain
percentage of PGP 2.6.x users (and according to some rumors, most
people who seriously use OpenPGP technology are in this category).
Maybe it's time for MD5 to finally die by the hands of the
cryptanalysts. ;-)
b) that I know no mail implementaion which creates a signed message
without first storing the entire message
The problem isn't that it's technically impossible to generate this
header. Most OpenPGP implementations simply do not provide the
necessary data to the calling MUA while creating the signature. (Of
course, you can extract it using 'gpg --list-packet', and in fact I
plan to add this to Gnus some day, but this seems to be rather
hackish.)
--
Florian Weimer
Florian(_dot_)Weimer(_at_)RUS(_dot_)Uni-Stuttgart(_dot_)DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898