[This may get through twice - I sent it from the wrong address earlier]
On Thu, Jan 05, 2006 at 04:55:43PM +0100, Werner Koch wrote:
On Thu, 5 Jan 2006 16:15:41 +0100, Daniel A Nagy said:
[>> long header lines, wrapped (2)822-style]
[> attack based on message in the header-lines]
By replacing the underscore with an invisible character this is close
to perfect but even with an underscore or an "> ", many users will
assume that the "Comment" line is just one line and the rest is
actually the signed message.
If you use gpg --decrypt on such a message, then it will output the
signed text, which of course is not in the header. In my mailer (mutt)
it recognises the signed text as such and wraps (and displays) that. I
feel that anyone looking at the original source of even ASCII-armoured
mail rather than checking the signature for anything of that kind of
importance might well deserve what they get.
(Obviously, Werner, I appreciate that you know what GnuPG does in this
situation, but I wanted to make the point that using the output of
what the openpgp transformation does when it reads the ascii armoured
text. It seems almost sensible that there SHOULD be a way of outputting
this in normal context, but we're in last call, and I don't think it's
appropriate to start adding wording.)
Cheers
MBM
--
Matthew Byng-Maddick <mbm(_at_)colondot(_dot_)net>
http://colondot.net/
(Please use this address to reply)