On 01/08/2014 12:35 PM, Paul Boddie wrote: > Of course, RFC 3156 warns about the pitfalls of encoding the part that is to > be signed,
It doesn't just warn about the pitfalls. it states that: Multipart/signed and multipart/encrypted are to be treated by agents as opaque, meaning that the data is not to be altered in any way [2], [7]. where [2] and [7] map roughly to: [2] https://tools.ietf.org/html/rfc1847#section-2.1 which reads: Security Considerations: [multipart/signed parts] Must be treated as opaque while in transit and [7] https://tools.ietf.org/html/rfc2480#section-4 which reads: [email gateways] MUST provide the ability to tunnel multipart/signed and multipart/encrypted objects as monolithic entities if there is any chance whatsoever that MIME capabilities exist on the non-MIME side of the gateway. No changes to content of the multipart are permitted, even when the content is itself a composite MIME object. so if python's email module really does mangle this part, it cannot be used within RFC-2480-compliant mail gateways. This is a bug in python's email module, and it needs to be fixed. Have you reported it to the python email module? Thanks for raising the issue, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mailman-Developers mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
