[Alpine-info] Extensions needed for proper crypto support.

[Steven W. Orr]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Saturday, Jun 6th 2009 at 17:48 -0000, quoth Steve Revilak:


> steveo> I've been reading up on the crypto aspects as they relate to

> steveo> alpine. I understand pretty much how the PGP/GPG side

> steveo> operates. I think I have a sense of the S/MIME side of things

> steveo> as well. After having gone through it all, feel like I have a

> steveo> definite preference to using GPG over S/MIME. But I see a

> steveo> number of messages that have GPG signature attachments and the

> steveo> support needed to verify these messages is not good. And

> steveo> verifying is less useful if I can't also send a message with

> steveo> an attached signature.

>

> steveo> What seems to be missing is the ability to easily create

> steveo> filters for dealing with GPG in the context of an attached

> steveo> signature.  Am I intriguing people with this idea or am I way

> steveo> off base? Does someone have a better suggestion? I'd like to

> steveo> help but I need to know how and where to start.

>

> With Alpine, I've used one of two techniques for verifying pgp

> signatures:

>

>   * if the signature was inline, I'd pipe it to "gpg --verify".  For

>     "traditional" inline PGP signatures, this seems to work fine.

>

>   * for attached signatures, I'd press "h" to display the raw message,

>     and then export it to a file.  A multipart/signed message has

>     exactly two top-level mime parts: a (mime encoded) message, and the

>     message signature.

>

>     I'd separate the exported message into two files -- say msg.txt

>     and msg.txt.sig -- and run "gpg --verify msg.txt.sig".

>

>     Section 5 of http://www.ietf.org/rfc/rfc2015.txt has an example

>     that illustrates how to dissect the signature and signed content.

>

> In practice, this means I tended not to verify multipart/signed

> messages, unless I was really concerned about the message's

> integrity/authenticity.

>

> I've seen some posters use multipart/signed (topal, I guess?).  I only

> heard of topal very recently, and haven't tried using it.


I appreciate your response, but I'd like to gently suggest that this is 
not the direction I'd like this discussion to be going. Overall, I don't 
have any idea what items are on the list of Things To Be Done and what 
their priority is. (I also don't have a clue as to how many dozens of 
developers are chomping at the bit to contribute.;) My goal was to see if 
the above suggestions were interesting to rate as some sort of priority, 
either short of long term.

- -- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)

iEYEARECAAYFAkoq8w0ACgkQRIVy4fC+NyQQHgCbB1u1dmMqYjkAgl3cj9LDHPKI
+AMAn3flDALVFIXMUks2XxlAatgmDmUz
=Vrj5
-----END PGP SIGNATURE-----