On Tue, May 08, 2012 at 04:15:28PM -0400, Celejar wrote: > I'm no expert in all this, but can you explain and document what you > mean by the claim that "headers ... must be verified"? All emails have > their headers modified en route (e.g., "Received:" and "Delivered-To" > are added, as are all kinds of "X-stuff" ones). Does PGP/MIME really > protect all headers (beyond the MIME ones)? It really breaks if *any* > headers are modified? Please provide documentation.
Writing off the top of my head, you may wish to verify everything I say ☺ PGP/MIME does not verify the headers, but your mail is a multipart/mime mail, and it does verify the specific MIME headers that define the encoding for the signed part. If the message is decoded, or re-encoded, then these headers can change (either semantically, if the re-encoding is via a different scheme, or simply syntactically, afaik whitespace changes etc.) There's a related problem where you can't get at the original mail (so: web archives of mailing lists only give you the decoded bits; I think RT is similar, which is why when someone needs to submit a ticket to the Debian RT queue, they are told to use inline PGP: http://keyring.debian.org/) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509085922.GB8326@debian