Broken PGP signature [WAS: Re: inline gpg signatures?]

From: Albrecht Dreß <albrecht dress arcor de>
To: Kacper Wysocki <kacperw online no>
Cc: Balsa-Liste <balsa-list gnome org>
Subject: Broken PGP signature [WAS: Re: inline gpg signatures?]
Date: Mon, 8 Dec 2003 19:44:46 +0100

Am 08.12.03 16:39 schrieb(en) Kacper Wysocki:
> Sure, since the message is stored in a public archive I'm sure the  
> author won't mind.

The "Content-Type:" parameter of this message does not contain the  
mandatory "micalg" parameter, so balsa says it's invalid. You can compare  
this with a message where the signature is detected successfully:

Content-Type: multipart/signed;
    boundary="----------=_1070488729-3050-42";
    protocol="application/pgp-signature"

Quoted from RFC 3156 (http://www.ietf.org/rfc/rfc3156.txt):

: 5.  OpenPGP signed data
:
:    [...]
:
: The "micalg" parameter for the "application/pgp-signature" protocol
: MUST contain exactly one hash-symbol of the format "pgp-<hash-
: identifier>", where <hash-identifier> identifies the Message
: Integrity Check (MIC) algorithm used to generate the signature.
: Hash-symbols are constructed from the text names registered in [1]
: or according to the mechanism defined in that document by converting
: the text name to lower case and prefixing it with the four
: characters "pgp-".

I guess the programmers of that MUA were confused by the fact that  
although the parameter is mandatory, it's actually not used as the gpg  
signature is self-contained (i.e. has the used mic alg encoded  
internally). So you might want to send a bug report...

Maybe balsa could be more specific about such rfc violations, but we had a  
discussion a while ago about that with the result that we should just say  
that broken messages are broken... I guess popping up a dialog which says  
that the micalg parameter is missing (or some other detailed description  
which nobody will understand if (s)he is not a programmer) will produce  
even more confision.

Cheers,

	Albrecht.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Albrecht Dreß  -  Johanna-Kirchner-Straße 13  -  D-53123 Bonn (Germany)
       Phone (+49) 228 6199571  -  mailto:albrecht.dress@arcor.de
_________________________________________________________________________

PGP signature

Follow-Ups:
- Re: Broken PGP signature [WAS: Re: inline gpg signatures?]
  - From: manu

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]