Re: [Evolution] pgp unusable?

On Thu, 2001-11-29 at 19:50, Thomas O'Dowd wrote:
On Thu, Nov 29, 2001 at 03:33:32PM -0500, Jeffrey Stedfast wrote:

In-line pgp mode is a broken way to do it - so many things can go
"wrong". Should I first QP/Base64 encode the text before signing? or
should I do it afterward? Do I From-escape before? afterward? ever? Do I
CRLF encode before signing?

Sure, its broken but everyone does it. I've had to do it for ages now
because my windows loving friends have too much trouble reading the 
standard. Anyway, I don't quite see the problems that you see with
implementing it at least not with pgp. I've never used gpg so I don't
know about it. Here are some answers to your questions.

to just encrypt

 mailtext | pgp +verbose=0 +encrypttoself +batchmode -feat RECEIVERS

or to sign and encrypt

 mailtext | pgp +verbose=0 +encrypttoself +batchmode -feast RECEIVERS

If you do this then, it will sign, encrypt, handle the line feeds and
encode everything in the correct order. About From escaping, why would
you ever do it in a client? It is only a storage requirement for mbox
mail spools. If you are talking about archival in the sent folder, then
you never have to worry about that with PGP encrypted text as you won't
find the combo "^From " in the encoded text.

I wasn't talking about encrypting...obviously with encrypting I don't
have to worry about the problems I mentioned, but I *do* have to worry
about them when I am just signing the text.

The reason the client should do From-escaping when signing is to make it
so that the client on the other end doesn't have to From-escape. Why
would you wanna do that? Because if the other end has to From-escape
(because it uses mbox or something), then it won't be able to verify the

the PGP/MIME specification suggests that clients do this, but seeing as
how there isn't a spec for doing it in-line - who's to say what you
should and shouldn't do?

The problem is that you guys don't fully understand the problem, to you
it sounds as simple as "just pipe it to pgp or gpg and whallah" but it's
not that simple. Well, not if you expect the other end to be able to
verify your signatures at least. Sure, I could just pipe to pgp/gpg, but
if the other end can't verify the signature, what good is it?


Jeffrey Stedfast
Evolution Hacker - Ximian, Inc.
fejj ximian com  -

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]