Subject: Re: NetBSD Security Advisory 2002-009: Multiple vulnerabilities in OpenSSL code
To: None <email@example.com, firstname.lastname@example.org,>
From: Ignatios Souvatzis <email@example.com>
Date: 08/06/2002 21:53:47
Content-Type: text/plain; charset=us-ascii
On Fri, Aug 02, 2002 at 07:39:34PM -0400, Todd Vierling wrote:
> On Fri, 2 Aug 2002, Ignatios Souvatzis wrote:
> : > We'll use this to see how many people check sigs ;-)
> : I'd auto-check them if they had proper PGP/MIME headers...
> Please don't use "application/pgp". This **DOES NOT** come up as plainte=
> in the majority of MIME-aware MUA's, and thus, it should only be used for
> ASCII armored (or base64-encoded binary) PGP blocks.
Or course not. E.g. Mutt creates this:
> Mime-Version: 1.0
> Content-Type: multipart/signed; micalg=3Dpgp-md5;=20
> protocol=3D"application/pgp-signature"; boundary=3D"5vNYLRcllDrim=
> Content-Disposition: inline
where the first part is text/plain, if it was text/plain before, or whatever
your message was before signing. It seems to properly encapsulate and sign
multiparts etc. if necessary, I've used this before.
I believe there is an RFC standardizing this, analog to the PEM one, but it
has been a few years since I studied them.
I can see why SO announcements might NOT use this -=20
SO want to have the same message they send out available on the ftp server,
while creating PGP/MIME involves creating a detached signature.
OTOH, storing a seperate signature per announcement might be ok.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----