[Enigmail] MIME multipart/signed and the risk of followon MIME parts
Ludovic Hirlimann
ludovic at mozillamessaging.com
Wed May 6 00:16:29 PDT 2009
On 5/6/09 8:49 AM, Patrick Brunschwig wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Daniel Kahn Gillmor wrote:
>
>> it gets weirder!
>>
>> On 05/05/2009 12:01 PM, Daniel Kahn Gillmor wrote:
>>
>>> *-+ Content-Type: multipart/mixed (A)
>>> +--+ Content-Type: multipart/signed (X)
>>> | +-- Content-Type: text/plain (Y)
>>> | +-- Content-Type: application/pgp-signature (Z)
>>> +-- Content-Type: text/plain (disposition: inline) (B)
>>>
>>> (B) in this case is the mailing list footer.
>>>
>> I tried crafting a message like this, but with additional injected text
>> (C) above the signed part (X):
>>
>> *-+ Content-Type: multipart/mixed (A)
>> +-- Content-Type: text/plain (disposition: inline) (C)
>> +--+ Content-Type: multipart/signed (X)
>> | +-- Content-Type: text/plain (Y)
>> | +-- Content-Type: application/pgp-signature (Z)
>> +-- Content-Type: text/plain (disposition: inline) (B)
>>
>> In this case, icedove displays C<hr>Y<hr>B, but no enigmail header
>> appears at all, and the MUA does not appear to be aware that any part of
>> the message itself was signed.
>>
>> Is this intentional? What should enigmail do in this scenario where
>> only a section of the message is signed?
>>
> It's not intentional. The problem is that the MIME structure information
> given by Thunderbird is insufficient, thus Enigmail can't detect the
> signed part.
>
>
What's the bug number for that ?
Ludovic
--
Ludovic Hirlimann MozillaMessaging QA lead
http://www.spreadthunderbird.com/aff/79/2
More information about the Enigmail
mailing list