GPG signed messages = SMIME?
Hi folks, Maybe I have a case of the stupids here, but I used the gpgrc file that comes with the source distro and when I sign a mail with my GPG signature the entire message gets converted to SMIME format. This may be OK for some MUAs out there, but when I send mail to where I work from home using mutt and sign them with GPG the recipient is going to see this from Micro$oft Outlook which does horrible things to SMIME. Also because of this it would appear that the PGP client for windows can't figure out how to verify the signature when it is in SMIME format. Maybe my memory is warped, but I seem to remember that PGP normally signs messages keeping the body of the email in text format. Is there a way of doing the same thing under the GPG/Mutt combination? Or am I stuck with SMIME format messages when I sign them? I checked the FAQ and searched the archives already to no avail -- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Peter L. Berghold http://www.berghold.net [EMAIL PROTECTED] Linux Bigot at Large "Linux renders ships... Windows NT renders ships useless..."
Re: GPG signed messages = SMIME?
On 2000-06-13 15:44:47 -0400, Peter L. Berghold wrote: Maybe I have a case of the stupids here, but I used the gpgrc file that comes with the source distro and when I sign a mail with my GPG signature the entire message gets converted to SMIME format. S/MIME is something mutt doesn't understand or generate currently. More precisely, it's some set of standards based on pkcs #7, X.509 certificates, and the framework from RFC 1847 (multipart/{signed,encrypted}, originally specified for use by MOSS). Don't ask me for details, I'm not really familiar with S/MIME. The framework from RFC 1847 is quite general, and can also be applied to PGP. The resulting format is called PGP/MIME, and specified in RFC 2015. That's what mutt uses. The benefit from this framework is that the message's content is (1) signed completely, including MIME headers and the like, and (2) the content is still accessible for MIME MUAs which don't know anything about PGP, S/MIME or the like - for that software, multipart/signed just looks like another unsupported multipart, which consists of two parts: Nested usable data, and something strange called signature, which isn't handled. This may be OK for some MUAs out there, but when I send mail to where I work from home using mutt and sign them with GPG the recipient is going to see this from Micro$oft Outlook which does horrible things to SMIME. Also because of this it would appear that the PGP client for windows can't figure out how to verify the signature when it is in SMIME format. I'd suggest you complain to Microsoft and Network Associates. It's their responsibility to get the support for this right; what mutt does ist the standard (ok, proposed standard) way of using PGP with e-mail. Maybe my memory is warped, but I seem to remember that PGP normally signs messages keeping the body of the email in text format. Is there a way of doing the same thing under the GPG/Mutt combination? Or am I stuck with SMIME format messages when I sign them? -- http://www.guug.de/~roessler/
Re: GPG signed messages = SMIME?
First, a quick correction: SMIME would be interpreted by most folks as S/MIME, and that's the spec described in RFCs 2311 (message format) and 2312 (certs). There may be some MUAs that implement it; I don't know which. I've never seen it in use, as far as I know. When I last heard it discussed, some years ago, it seemed like it was being promulgated by the camp that wants everything done with centralized certification authorities; I've never been concerned with trying to make certification authorities more lucrative, only with privacy, so I stuck with PGP:-). The MIME format supported by Mutt for crypto is RFC 2015, I think I've sometimes seen people refer to it as PGP/MIME. Mutt implements it; I've read on this list recently that someone was introducing support for it into some GUI MUA as well. Aside from that, it's not supported as far as I know. Now on to the issues you discuss: Outlook is extra special (in the Politically Correct sense of the word, like the Special Olympics); besides going out of its way to make it easy for random strangers to do whatever they want to the victim's (Outlook user's) machine, it also goes out of its way to make it difficult to read PGP/MIME messages; way way harder than a completely non-MIME MUA like e.g. /bin/mail. There are two responses that could be taken to this state of affairs. You could go out of your way to send "traditional PGP" messages. Just turn off PGP signing in mutt, and use your editor to sign the message. In mine, I just filtered the message through "gpg --clearsign" to get messages signed that way. I use the past tense; I've signed off the one mailing list that blocked PGP/MIME messages. As for Windows users, they choose to do Windows to themselves; on the very rare occasions that they complain about my email, I point 'em at RFC 2015, and encourage them to complain to the author of their email software --- or switch to email software that doesn't have the problems they're suffering from. -Bennett PGP signature
Re: GPG signed messages = SMIME?
Peter -- ...and then Peter L. Berghold said... % Hi folks, % % Maybe I have a case of the stupids here, but I used the gpgrc file that % comes with the source distro and when I sign a mail with my GPG signature % the entire message gets converted to SMIME format. You've already heard a bit on S/MIME vs PGP/MIME, so I won't go there. Suffice it to say that this is the default because it's the Rigt Way. While I may get my hand slapped ;-) for telling you this, you certainly can do it All The Wrong Way and sign things in the body for the poor suckers who are stuck with LookOut! The easiest way to tell you is to upgrade to, or at least get the source tarball for, 1.2 and check out - contrib/gpg.rc search for 'old-style' and macro-ify that command - doc/PGP-Notes.txt search for 'old way' and adapt that macro HTH HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.bigfoot.com/~davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! The "new millennium" starts at the beginning of 2001. There was no year 0. Note: If bigfoot.com gives you fits, try sector13.org in its place. *sigh* PGP signature