Subject: Re: NetBSD Security Advisory 2002-009: Multiple vulnerabilities in OpenSSL code
To: None <,,>
From: Ignatios Souvatzis <>
List: current-users
Date: 08/06/2002 21:53:47
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 02, 2002 at 07:39:34PM -0400, Todd Vierling wrote:
> On Fri, 2 Aug 2002, Ignatios Souvatzis wrote:
> : > We'll use this to see how many people check sigs ;-)
> :
> : I'd auto-check them if they had proper PGP/MIME headers...
> Please don't use "application/pgp".  This **DOES NOT** come up as plainte=
> in the majority of MIME-aware MUA's, and thus, it should only be used for
> ASCII armored (or base64-encoded binary) PGP blocks.

Or course not. E.g. Mutt creates this:

> Mime-Version: 1.0
> Content-Type: multipart/signed; micalg=3Dpgp-md5;=20
>         protocol=3D"application/pgp-signature"; boundary=3D"5vNYLRcllDrim=
> Content-Disposition: inline

where the first part is text/plain, if it was text/plain before, or whatever
your message was before signing. It seems to properly encapsulate and sign
multiparts etc. if necessary, I've used this before.

I believe there is an RFC standardizing this, analog to the PEM one, but it
has been a few years since I studied them.

I can see why SO announcements might NOT use this -=20
SO want to have the same message they send out available on the ftp server,
while creating PGP/MIME involves creating a detached signature.

OTOH, storing a seperate signature per announcement might be ok.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see