[Mailman-Developers] PGP-signed message verification using the email module (and in Mailman)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 8 19:21:12 CET 2014
On 01/08/2014 12:35 PM, Paul Boddie wrote:
> Of course, RFC 3156 warns about the pitfalls of encoding the part that is to
> be signed,
It doesn't just warn about the pitfalls. it states that:
Multipart/signed and multipart/encrypted are to be treated by agents
as opaque, meaning that the data is not to be altered in any way [2],
[7].
where [2] and [7] map roughly to:
[2] https://tools.ietf.org/html/rfc1847#section-2.1
which reads:
Security Considerations: [multipart/signed parts] Must be treated as
opaque while in transit
and
[7] https://tools.ietf.org/html/rfc2480#section-4
which reads:
[email gateways]
MUST provide the ability to tunnel multipart/signed and
multipart/encrypted objects as monolithic entities if there is
any chance whatsoever that MIME capabilities exist on the
non-MIME side of the gateway. No changes to content of the
multipart are permitted, even when the content is itself a
composite MIME object.
so if python's email module really does mangle this part, it cannot be
used within RFC-2480-compliant mail gateways. This is a bug in python's
email module, and it needs to be fixed. Have you reported it to the
python email module?
Thanks for raising the issue,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20140108/c6e5bdab/attachment.sig>
More information about the Mailman-Developers
mailing list