https://bugs.kde.org/show_bug.cgi?id=427091
Sandro Knauß <skna...@kde.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |CONFIRMED
--- Comment #8 from Sandro Knauß <skna...@kde.org> ---
(In reply to Ingo Klöcker from comment #6)
> By the way, it seems that encrypted+signed messages are not affected by this
> problem. On the other hand, looking at the decrypted MIME tree of such a
> message it makes me wonder whether protected headers is actually correctly
> implemented for encrypted+signed messages. To me it seems as if the
> "protected headers" are not part of the signed message part but of the
> enclosing multipart/signed message part which means that they are not really
> protected by the signature. Ironically, this implementation bug prevents the
> signatures of encrypted+signed messages to be broken by the protected
> headers feature.
It is correct, that the "protected headers" are not signed with
encrypted+signed. As it does not use SingEncryptJob but assembles the mail by
hand in composerjob, but this is a different issue. But anyways as the content
is encrypted there is only a binary blob, that cannot been modified afterwards
and this prevents any external modification and a valid signature.
The ProtectedHeadersJob was only referencing all the headers, to save some
memory and I thought, that the headers are finalized already. This assumption
turns out to be wrong, so I copy now all headers see the merge request:
https://invent.kde.org/pim/messagelib/-/merge_requests/21
--
You are receiving this mail because:
You are watching all bug changes.
