MIME-encoded PGP / GPG signatures (again)

Karsten M. Self kmself at ix.netcom.com
Wed Sep 26 01:42:19 PDT 2001 

on Tue, Sep 25, 2001 at 11:41:18PM -0700, Meyer Wolfsheim (wolf at priori.net)
wrote:
> On Tue, 25 Sep 2001, Karsten M. Self wrote:

<...>

> >     Actually, plug-in support for a range of mailers is available for
> >     most mainstream products and platforms, including both MS Outlook
> >     and Eudora (two most frequently cited apps).
>
> Incorrect. There is no PGP/MIME support in Outlook, and the Eudora
> PGP/MIME handling is less than perfect.

My information is different, though I've not used Outlook in some years.
I know several people who do, one of whom also uses PGP, RFC 2015 MIME
encoded:

    http://rmarq.pair.com/pgp/mail-clients-pgp.html
    http://www.spinnaker.de/mutt/rfc2015.html

    ...including MS Outlook Express (plugin) and MS Outlook (plugin),

> >   - RSA is almost certainly partially to blame for this.  The RSA PKI
>
> "PKI Patent?" Do elaborate on this for us.

Public key infrastructure.

I was spooning from the top of my head.  It's more generally known as
the RSA public key encryption patent, released by RSA September 6, 2000:

    http://www.rsasecurity.com/news/pr/000906-1.html

I don't have the patent number handy but could reference it for you if
necessary.

> >     patent only expired in September of 2000.  If this patent hadn't
> >     existed, widespread use and implementation of crypto support in mail
> >     tools would be fait acompli, and discussion of legislation such as
> >     the Anti-Terrorism Act of 2001 would be largely moot.
>
> Oh really?
>
> Gee, I thought it perhaps had something to do with the draconian export
> regulations, the ease-of-use problems with crypto, or the fact that most
> mail users "don't feel the need" for encryption.

There were doubtless other issues.  The patent didn't help.

<...>

> >       - Your mailer is broken.
> >       - This is your problem, not mine.
> >       - File a bug report with your vendor.
>
> This will get you killfiled.

I"m willing to risk that.  Responses have varied, most people appreciate
the information (they simply don't know the inssues).  Maybe one in ten
responds as you suggest.  I try to provide compelling content, where
possible.

> >     So, Why Do You Insist On Signing Your Mail Anyway?
>
> How long have you been using PGP/OpenPGP? You are exhibiting the
> typical zeal of a new user, who has only become partially acquainted
> with the issues at hand.

About two years.

You've got arguments against signing?  Again, pointers appreciated.

> > 	It's been suggested variously that I sign messages inline, or in
> > 	some instances, that mailing lists drop all MIME-encoded
> > 	attachments.  I believe this is the wrong solution for two
> > 	reasons:
> >
> > 	  - It breaks useful behavior.  MIME attachments *can* provide
> > 	    useful information, including support of non-ASCII
> > 	    charactersets, required for basic communications in much of
> > 	    the world[...]
>
> We're on an English-language mailing list.

So you're going to disable all MIME handling in your mailer?

> > 	  - It's not the root problem.  The root problem is mail clients
> > 	    which handle untrusted content in an insecure fashion.  This
> > 	    is like dousing 75% of the population with gasoline, then
> > 	    placing match-confiscating personnel at the doors of all
> > 	    public arenas.  The problem isn't the matches.  It's the
> > 	    gasoline.
>
> That's an absurd analogy.

That's an astounding proof.

To expand on the the analogy:  widespread deployment of mail clients
with unsafe content handling (and yes, I'm specifically pointing to MS
Outlook, though there are other guilty parties), combined with an
operating environment with few or no effective security measures, low
user awareness of security details, and lax administrative practices,
creates a volatile, low-entropy, high-potential, readily triggered,
exploitable resource.  Rather like gasoline.

The problem isn't the attachments (matches), it's the gasoline (buggy
mailers).

I think it's rather apt, myself.

> > 	    Palliative measures to reduce the apparent risk without
> > 	    addressing the actual cause mask the problem without fixing
> > 	    it.  If sufficient people feel the pain, we'll eventually
> > 	    see changes either to client behavior or choice.
>
> I'm halfway through this babbling diatribe, and I'm still not seeing
> *any* compelling arguments for using PGP/MIME for mailing list mail
> (which is, if I may remind you, the issue at hand.)

Compelling or otherwise, I'll draw your attention to the paragraphs
immediately following "Why Do You Insist On Signing Your Mail Anyway".

Summarizing:

  - Assurance of identity.
  - Assurance of integrity.
  - Evangelizing PKI.
  - Seeking broader compliance with associated RFCs in mail clients and
    handlers.

> >   - My general suggestion to list maintainers is that policies be set on
> >     what MIME encoding is or isn't allowed.  Content filtering based on
>
> Actually, I'm on this particular list partially because of the MIME
> stripping policy. I'm very happy with it, and I suspect many others
> are.  If you aren't happy with it, feel free to run your own node.
> Choate can give you the details on that.

I'm not set up to run same, but I'm interested in finding one that
doesn't demime.

Peace.

--
Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?              Home of the brave
  http://gestalt-system.sourceforge.net/                    Land of the free
   Free Dmitry! Boycott Adobe! Repeal the DMCA!  http://www.freesklyarov.org
Geek for Hire                      http://kmself.home.netcom.com/resume.html

[demime 0.97c removed an attachment of type application/pgp-signature]

More information about the cypherpunks-legacy mailing list