Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-12-2006, 03:38 PM
|
#1
|
Member
Registered: Mar 2003
Location: USA
Distribution: Slackware-current
Posts: 155
Rep:
|
PGP/MIME vs Clearsigning - What's the practical difference?
I'm know GPG supports two types of message signing. One is PGP/MIME and the other is traditional clear signing. Can someone point me to a resource, or explain what the real difference is between the two? I'm primarily interested in what security differences there are if any. Also, I'd like to know why you would choose one method over the other.
I've been Googling for an answer and haven't found a satisfying answer yet.
Thanks.
|
|
|
11-12-2006, 08:14 PM
|
#2
|
Member
Registered: Nov 2003
Distribution: Ubuntu
Posts: 218
Rep:
|
Why PGP/MIME instead of Clearsign?
Here is what I've found about it. It has nothing to do with security, but does help a lot with clutter. I noticed, for example, in a mailing list archives, the difference between the two. The clearsign shows right there in the message where the PGP/MIME is attached and only shows if you look at it in the source.
I also found that this can be problematic when a mailing list is set to accept only plain text attachments. They need to be set to accept attachments that are "multipart/signed" as well.
So, like I found in a post that says it better than I can:
PGP/MIME does not clutter the messages for non-PGP enabled clients
and web based mailinglist archives with inline -----BEGIN PGP STUFF
PGP/MIME signed messages do not carry PGP garbage into reply when
quoted by non-PGP aware mail client
Anita
|
|
|
11-12-2006, 08:37 PM
|
#3
|
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450
Rep:
|
As ajlewis pointed out, it's to keep down clutter. But it's not only aesthetic reasons. Initially, some poorly-implemented clients would calculate the hash over different parts of the message. Even with the ASCII armor, some messages were commonly mishashed, indicating a forgery, when in actuality it was the difference of a newline character or something like that. Having a multi-part message makes it clear what part of the message is signed.
The only problem with PGP/MIME (if you might call it a problem) is support for "legacy" implementations (i.e., email clients which can handle PGP, but not PGP/MIME).
|
|
|
11-12-2006, 08:58 PM
|
#4
|
Member
Registered: Mar 2003
Location: USA
Distribution: Slackware-current
Posts: 155
Original Poster
Rep:
|
Ok. So security isn't the reason. The muttrc man page is somewhat misleading as it claims that clear signing is deprecated and strongly urged against. I couldn't find anything to that effect in the gpg man pages.
Thanks.
|
|
|
11-12-2006, 10:22 PM
|
#5
|
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450
Rep:
|
Quote:
Originally Posted by rignes
The muttrc man page […] claims that clear signing is deprecated and strongly urged against.
|
This is pretty much true.
I thought I'd reproduce a snippet of the gpg man page:
Quote:
Originally Posted by man 1 gpg
Clear text signatures may modify end-of-line whitespace for platform independence and are not intended to be reversible.
|
gpg is a standalone program with many uses (one of which is email encryption/signing), but clear-text signing has a higher probability of failure with one of them (i.e., emailing across platforms and/or implementations). GnuPG shouldn't need to urge against anything, since clear text signatures are completely appropriate for other tasks.
|
|
|
All times are GMT -5. The time now is 01:56 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|