Subject: Re: NetBSD Security Advisory 2002-009: Multiple vulnerabilities in OpenSSL code
To: None <security-officer@netbsd.org, tech-security@netbsd.org,>
From: Ignatios Souvatzis <is@netbsd.org>
List: tech-security
Date: 08/06/2002 21:53:47
--2JFBq9zoW8cOFH7v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Aug 02, 2002 at 07:39:34PM -0400, Todd Vierling wrote:
> On Fri, 2 Aug 2002, Ignatios Souvatzis wrote:
>=20
> : > We'll use this to see how many people check sigs ;-)
> :
> : I'd auto-check them if they had proper PGP/MIME headers...
>=20
> Please don't use "application/pgp". This **DOES NOT** come up as plainte=
xt
> in the majority of MIME-aware MUA's, and thus, it should only be used for
> ASCII armored (or base64-encoded binary) PGP blocks.
Or course not. E.g. Mutt creates this:
> Mime-Version: 1.0
> Content-Type: multipart/signed; micalg=3Dpgp-md5;=20
> protocol=3D"application/pgp-signature"; boundary=3D"5vNYLRcllDrim=
b99"
> Content-Disposition: inline
where the first part is text/plain, if it was text/plain before, or whatever
your message was before signing. It seems to properly encapsulate and sign
multiparts etc. if necessary, I've used this before.
I believe there is an RFC standardizing this, analog to the PEM one, but it
has been a few years since I studied them.
I can see why SO announcements might NOT use this -=20
SO want to have the same message they send out available on the ftp server,
while creating PGP/MIME involves creating a detached signature.
OTOH, storing a seperate signature per announcement might be ok.
Regards,
-is
--2JFBq9zoW8cOFH7v
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE9UClLPCRcZ/VMtk4RAn/mAJ98/q23PLsAftnefC6J+Q0Y30l7CwCeJRG+
LElLZRRCeyDFlfTreaQy4js=
=65Tb
-----END PGP SIGNATURE-----
--2JFBq9zoW8cOFH7v--