[Mailman-Developers] PGP-signed message verification using the email module (and in Mailman)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 8 19:21:12 CET 2014

On 01/08/2014 12:35 PM, Paul Boddie wrote:

> Of course, RFC 3156 warns about the pitfalls of encoding the part that is to 
> be signed,

It doesn't just warn about the pitfalls.  it states that:

   Multipart/signed and multipart/encrypted are to be treated by agents
   as opaque, meaning that the data is not to be altered in any way [2],

where [2] and [7] map roughly to:

 [2] https://tools.ietf.org/html/rfc1847#section-2.1

which reads:

Security Considerations: [multipart/signed parts] Must be treated as
opaque while in transit


 [7] https://tools.ietf.org/html/rfc2480#section-4

which reads:

 [email gateways]
          MUST provide the ability to tunnel multipart/signed and
          multipart/encrypted objects as monolithic entities if there is
          any chance whatsoever that MIME capabilities exist on the
          non-MIME side of the gateway. No changes to content of the
          multipart are permitted, even when the content is itself a
          composite MIME object.

so if python's email module really does mangle this part, it cannot be
used within RFC-2480-compliant mail gateways.  This is a bug in python's
email module, and it needs to be fixed.  Have you reported it to the
python email module?

Thanks for raising the issue,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20140108/c6e5bdab/attachment.sig>

More information about the Mailman-Developers mailing list