LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-12-2006, 02:38 PM   #1
rignes
Member
 
Registered: Mar 2003
Location: USA
Distribution: Slackware-current
Posts: 155

Rep: Reputation: 30
PGP/MIME vs Clearsigning - What's the practical difference?


I'm know GPG supports two types of message signing. One is PGP/MIME and the other is traditional clear signing. Can someone point me to a resource, or explain what the real difference is between the two? I'm primarily interested in what security differences there are if any. Also, I'd like to know why you would choose one method over the other.
I've been Googling for an answer and haven't found a satisfying answer yet.

Thanks.
 
Old 11-12-2006, 07:14 PM   #2
ajlewis2
Member
 
Registered: Nov 2003
Distribution: Ubuntu
Posts: 218

Rep: Reputation: 46
Why PGP/MIME instead of Clearsign?

Here is what I've found about it. It has nothing to do with security, but does help a lot with clutter. I noticed, for example, in a mailing list archives, the difference between the two. The clearsign shows right there in the message where the PGP/MIME is attached and only shows if you look at it in the source.

I also found that this can be problematic when a mailing list is set to accept only plain text attachments. They need to be set to accept attachments that are "multipart/signed" as well.

So, like I found in a post that says it better than I can:

PGP/MIME does not clutter the messages for non-PGP enabled clients
and web based mailinglist archives with inline -----BEGIN PGP STUFF

PGP/MIME signed messages do not carry PGP garbage into reply when
quoted by non-PGP aware mail client

Anita
 
Old 11-12-2006, 07:37 PM   #3
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 78
As ajlewis pointed out, it's to keep down clutter. But it's not only aesthetic reasons. Initially, some poorly-implemented clients would calculate the hash over different parts of the message. Even with the ASCII armor, some messages were commonly mishashed, indicating a forgery, when in actuality it was the difference of a newline character or something like that. Having a multi-part message makes it clear what part of the message is signed.

The only problem with PGP/MIME (if you might call it a problem) is support for "legacy" implementations (i.e., email clients which can handle PGP, but not PGP/MIME).
 
Old 11-12-2006, 07:58 PM   #4
rignes
Member
 
Registered: Mar 2003
Location: USA
Distribution: Slackware-current
Posts: 155

Original Poster
Rep: Reputation: 30
Ok. So security isn't the reason. The muttrc man page is somewhat misleading as it claims that clear signing is deprecated and strongly urged against. I couldn't find anything to that effect in the gpg man pages.

Thanks.
 
Old 11-12-2006, 09:22 PM   #5
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 78
Quote:
Originally Posted by rignes
The muttrc man page […] claims that clear signing is deprecated and strongly urged against.
This is pretty much true.

I thought I'd reproduce a snippet of the gpg man page:
Quote:
Originally Posted by man 1 gpg
Clear text signatures may modify end-of-line whitespace for platform independence and are not intended to be reversible.
gpg is a standalone program with many uses (one of which is email encryption/signing), but clear-text signing has a higher probability of failure with one of them (i.e., emailing across platforms and/or implementations). GnuPG shouldn't need to urge against anything, since clear text signatures are completely appropriate for other tasks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What is the practical use of ip aliase? Niceman2005 Linux - Networking 1 11-24-2005 11:51 PM
Any practical difference between VSFTP and PFTP? user1442 Slackware 3 10-25-2005 11:58 AM
Using Aegypten PGP/Mime Email in Mandrake kwalker Linux - Security 1 07-12-2004 02:38 AM
PGP/Mime for MDK Kmail - Agypten kwalker Linux - Software 0 07-02-2004 01:53 AM
PGP/MIME for windows Ztyx General 4 09-19-2002 08:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration