Broken PGP signature [WAS: Re: inline gpg signatures?]

Am 08.12.03 16:39 schrieb(en) Kacper Wysocki:
> Sure, since the message is stored in a public archive I'm sure the  
> author won't mind.

The "Content-Type:" parameter of this message does not contain the  
mandatory "micalg" parameter, so balsa says it's invalid. You can compare  
this with a message where the signature is detected successfully:

Content-Type: multipart/signed;

Quoted from RFC 3156 (

: 5.  OpenPGP signed data
:    [...]
: The "micalg" parameter for the "application/pgp-signature" protocol
: MUST contain exactly one hash-symbol of the format "pgp-<hash-
: identifier>", where <hash-identifier> identifies the Message
: Integrity Check (MIC) algorithm used to generate the signature.
: Hash-symbols are constructed from the text names registered in [1]
: or according to the mechanism defined in that document by converting
: the text name to lower case and prefixing it with the four
: characters "pgp-".

I guess the programmers of that MUA were confused by the fact that  
although the parameter is mandatory, it's actually not used as the gpg  
signature is self-contained (i.e. has the used mic alg encoded  
internally). So you might want to send a bug report...

Maybe balsa could be more specific about such rfc violations, but we had a  
discussion a while ago about that with the result that we should just say  
that broken messages are broken... I guess popping up a dialog which says  
that the micalg parameter is missing (or some other detailed description  
which nobody will understand if (s)he is not a programmer) will produce  
even more confision.



 Albrecht Dreß  -  Johanna-Kirchner-Straße 13  -  D-53123 Bonn (Germany)
       Phone (+49) 228 6199571  -

PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]