Who bought off Zimmermann?

Bill Stewart bill.stewart at pobox.com
Sun Aug 25 23:03:02 PDT 2013


At 10:45 PM 8/25/2013, Shawn K. Quinn wrote:
>Though I think the following poster who
>suggested scanning the email itself for the PGP identifier might be more
>useful and less prone to being fooled by someone who just puts the
>header in there without actually encrypting.

Anybody who's putting in the header without doing the encryption
is going out of their way to ask for trouble, and presumed to be
doing it on purpose, whether for entrapment or denial of service or whatever.
As long as you don't make it easy to do by accident, it's not a problem.

>Also, headers don't have to
>be in a specific order, it's possible that "From:" or "Subject:"
>accidentally get moved ahead of "X-PGP-Encrypted:" by mistake and that
>would result in a false bounce.

The threat model I was worrying about was that if you get to From: or Subject:,
and you're subject to an NSA Vacuum Cleaner Order,
you've got potentially sensitive information about your users or their contacts
that you could be forced to retain and turn over.
You need to reject the message before you see that, which means checking the
header keyword before you accept any characters past the :.
And yeah, that means you could get false bounces, but hopefully anybody who's
trying to hide their identity from the NSA will leave those headers out
of the cleartext part of the message anyway.
Ideally you don't even want the SMTP-level FROM keyword, but it's probably hard
to get most MTAs not to send that one.




More information about the cypherpunks mailing list