Nobody is forcing anybody to adopt it.
OTOH, complaining to people who use the spec about problems with your own
mailer is pretty dumb.
HA!
I remember pegasus! That was ages ago.
before windows... Our branch got all macs (the really old shoebox ones)
before we'd succumb but we were over ruled eventually. They have them in
the smithsonian now.
enough ot. back to work.
Jane
"Gerardo A. Gregory" wrote:
[snip]
It is. I know mutt, at least, switched to the PGP/MIME attachment style of
signatures from the old ASCII-armored messages a few versions back. I
personally liked the old style better, but the new one appears to be
compliant to the current MIME standards.
I'm willing to accept a bit of annoyance in order to promote standards
compliance. If only Microsoft was thus motivated.
Eric A. Hall <ehall@ehsco.com> was seen to declaim:
Nobody is forcing anybody to adopt it.
I think the point is people with non-compliant maillers delete mails
with attachments and no body on sight... sometimes, in an automated
rule. If you don't care that a percentage of your recipients don't ever
get to see your missives (and/or think you are infected with some sort
of virus) as long as those that use the same software as you do, then
you are in good company - its how most web designers seem to feel about
Internet Explorer and flash.
OTOH, complaining to people who use the spec about problems
with your own mailer is pretty dumb.
As has already been pointed out, just because a standard exists is not a
good reason to use it if there is a more backwards-complaint standard
that does the same job - like clearsigning the message in the body.
As an (extreme) counter-example, there are standards I would be
compliant with if I had decided to start each paragraph with a pretty
illuminated capital (using a gif image), change the font to a nice,
bubbly font in ebcdic order (and include a AOT file for that) and then
wrap the whole thing up in mime multipart/related so that a *compliant*
reader could view it. however, I am fairly sure that would get me booted
from the list *and* would be megabytes of unreadable garbage to most of
the list (it is probably unreadable garbage now, but that is just their
personal opinion of my emails 
Just because it is a standard, doesn't mean it is appropriate.
In a message written on Wed, Jul 10, 2002 at 04:31:40PM +0100, David Howe wrote:
I think the point is people with non-compliant maillers delete mails
with attachments and no body on sight... sometimes, in an automated
rule. If you don't care that a percentage of your recipients don't ever
Ok, I tried to stay out of this one, but this comment made me feel
I have to jump in. I'm all against attachments, file attachments.
Just because a message is MIME encoded, does not mean it is a file
though.
If people are throwing away MIME messages with a single "text/plain"
section then they are firmly in the wrong. All of the "modern"
text and GUI mailers display this properly, inline, as a plain old
text message.
More to the point, if anyone bothered to look at a MIME/PGP message,
that's all it is. Specifically, you'll see two parts:
] Content-Type: text/plain; charset=us-ascii
] Content-Disposition: inline
] Content-Transfer-Encoding: quoted-printable
] Content-Type: application/pgp-signature
] Content-Disposition: inline
If your mailer isn't showing you the first one as a text/plain
message, even if it doesn't understand the second you need a new
mailer.
Equally, while I don't like the practice, if you haven't configured
your mailer to show you text/plain over text/html (assuming you
dislike html mail) in a multipart/alternative message then you're
also behind the times. Don't complain about HTML mail when someone
is also sending you text, just because you're too backwards to
display it.
If we could convert the whole country, including Joe Idiot from
Leaded to Unleaded gas, I'm sure some "network savvy" people can
figure out how to make basic MIME work. After all, if we can't
communicate in E-MAIL how will we ever make the networks go?
Thus spake "Leo Bicknell" <bicknell@ufp.org>
More to the point, if anyone bothered to look at a MIME/PGP message,
that's all it is. Specifically, you'll see two parts:] Content-Type: text/plain; charset=us-ascii
] Content-Disposition: inline
] Content-Transfer-Encoding: quoted-printable] Content-Type: application/pgp-signature
] Content-Disposition: inlineIf your mailer isn't showing you the first one as a text/plain
message, even if it doesn't understand the second you need a new
mailer.
You left out the MIME header that's actually causing the problem:
] Content-Type: multipart/signed; micalg=pgp-md5;
] protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz"
My MUA understands multipart/mixed and multipart/alternative; it doesn't
understand multipart/signed and therefore has no clue what to do with the
message as a whole, even if it does understand one of the component's type.
If anyone has a procmail recipe for dropping the second part and promoting the
text/* to main body, I'm all ears.
S
"Leo Bicknell" <bicknell@ufp.org> illuminated our understanding with:
In a message written on Wed, Jul 10, 2002 David Howe wrote:
I think the point is people with non-compliant maillers delete mails
with attachments and no body on sight... sometimes, in an automated
rule. If you don't care that a percentage of your recipients don't
everOk, I tried to stay out of this one, but this comment made me feel
I have to jump in. I'm all against attachments, file attachments.
Just because a message is MIME encoded, does not mean it is a file
though.
If people are throwing away MIME messages with a single "text/plain"
section then they are firmly in the wrong. All of the "modern"
text and GUI mailers display this properly, inline, as a plain old
text message.
Yup - I am not defending M$'s crapware here; any decent mail client
written in the last few years should at least show the text inline and
the sig as an attachment. What I am trying to say is it isn't a good
defense to say "oh, but its an RFC and my client can handle it, so yours
is broken". A documented abomination (and M$'s crapware handles that
abomination I came up with just fine) is still an abomination.
However, I try to avoid any sort of attachment or mime encoding for
mailing lists - simply because it can be badly broken by the list itself
(some lists strip attachments, leaving an uninteresting blank message
when you try to use pgp mime; some people read in digest mode which is
why attachments are stripped, and so forth). pgp mime avoids taking up
message body space with the signature (which in most cases can be four
times the size of the message) so is a good thing - but that doesn't
mean that you should openly insult anyone whose software doesn't include
this feature. smtp works best with plaintext ascii-7; anything else is a
bonus, but shouldn't be mandatory.
Per the recently posted stats for members of *this* list:
Microsoft 38.71%
Mozilla 11.41%
Eudora 10.86%
I'm using a recent version of the #3 mailer, which I would think qualifies as a "modern" GUI mailer. It presents PGP-MIME messages as an attachment with a format it doesn't know how to read. I'm no more interested in upgrading (or changing) my mailer to deal with *this* attachment type than I am in upgrading to deal with text/html attachments.
What part of "it is rude to expect all members of a large and diverse mailing list to accept and parse your particular attachment format" isn't perfectly clear?
Netiquette. It's been around a looooong time. You might try following it.
jc
[snip]
You left out the MIME header that's actually causing the problem:
] Content-Type: multipart/signed; micalg=pgp-md5;
] protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz"My MUA understands multipart/mixed and multipart/alternative; it doesn't
understand multipart/signed and therefore has no clue what to do with the
message as a whole, even if it does understand one of the component's type.If anyone has a procmail recipe for dropping the second part and promoting the
text/* to main body, I'm all ears.
This procmail recipe works for me. YMMV, depending on MUA/OS/crypto
combination.
More to the point, if anyone bothered to look at a MIME/PGP message,
that's all it is. Specifically, you'll see two parts:] Content-Type: text/plain; charset=us-ascii
] Content-Disposition: inline
] Content-Transfer-Encoding: quoted-printable] Content-Type: application/pgp-signature
] Content-Disposition: inline
There's also the multipart/signed parent container. Of course, RFC2046
says that UNKNOWN MEDIA-TYPES are to be treated as multipart/mixed:
> 5.1.7. Other Multipart Subtypes
>
> Other "multipart" subtypes are expected in the future. MIME
> implementations must in general treat unrecognized subtypes of
> "multipart" as being equivalent to "multipart/mixed".
A mailer which displays the embedded text as attachments is going out of
its way to be incompatible with the spec.
I have no problem reading the attachments (pine displays most attachments
nicely), but personally I think the notion of pgp signing every mail you
send is extremely arrogant.
Remind me again about why I should care about whether or not somebody was
spoofing Joe Klein's email address, when this is the content:
Regarding electronic signatures.
The post was signed so you know for certain that I'm the knucklehead that
accidentally started the OT thread with my stupid joke. Arrogant or
not IMHO PGP sigs are a good business practice.
Signing post means only that you know with some certainty the bozo
to hold responsible. I want to own up to my bozoesk, arrogant and
stupid ramblings.
Using PGP sigs has far more operational relevance than my silly post.
Trusted relationships are an essential component to the operation of our
industry.
People have forged mail posted to this list in the past.
I also put my phone number on a bunch of my past posts. I am exercising my
right to be verifiably open and accountable for my stupid and arrogent
actions.
... but not with this e-mail.
[ SNIP ]
To the people who so arrogantly pgp sign every email they send:
Learn how to consider the importance of your words.
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills 301-682-9972
Xecunet, LLC www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access
Damn you bastard! netiquette violating people
with >4 line sigs.
Regarding electronic signatures.
The post was signed so you know for certain that I'm the knucklehead that
accidentally started the OT thread with my stupid joke. Arrogant or
not IMHO PGP sigs are a good business practice.
...when doing business.
Signing post means only that you know with some certainty the bozo
to hold responsible. I want to own up to my bozoesk, arrogant and
stupid ramblings.
Ah, and that's where the arrogance comment came from. You assume that the
members of nanog care. I'm not trying to call you an arrogant person, and
I recognize that you're not being blatantly arrogant, it's more of a
passive assumption. The passive assumption is that your words are
important enough that somebody might want to verify them. So, does EVERY
email need to be pgp signed?
When was the last time somebody on this list bothered to check the
validity of a pgp signed message which they received via nanog?
I mean, if John Sidgmore posted to that from now on, Worldcom's official
pricing is $100/meg with a 3 meg commit, I wouldn't believe it for a
second unless it was signed and I verified it.
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills 301-682-9972
Xecunet, LLC www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access
[snip]
> Signing post means only that you know with some certainty the bozo
> to hold responsible. I want to own up to my bozoesk, arrogant and
> stupid ramblings.Ah, and that's where the arrogance comment came from. You assume that the
members of nanog care. I'm not trying to call you an arrogant person, and
I recognize that you're not being blatantly arrogant, it's more of a
passive assumption. The passive assumption is that your words are
important enough that somebody might want to verify them. So, does EVERY
email need to be pgp signed?
If it's important enough to post in the first place, it's worth taking the
minimal effort required to sign it. I cannot understand the source of the
surprisingly vehement reaction against the PGP/MIME standard and PGP signing
in general. I would have thought this audience, at least, would understand
the importance of promoting the use of cryptography in general.
Perhaps I was being naive.
When was the last time somebody on this list bothered to check the
validity of a pgp signed message which they received via nanog?
Every single one that's signed, I check. But then, my MUA does it
automagically.
[Content-type: text/political]
It's just Good Standard Practice. It frequently takes a while for the slower
vendors to catch up to standards, but in this case, I think it's a good idea to
push the vendors as much as possible towards adoption of support for the
OpenPGP standard and strong crypto in general.
It may not be personally important to every person for every message at this
point in time, but the more common crypto is, the less likely we are to find
it de jure or de facto outlawed. The legal history of crypto in the United
States, if nowhere else, should provide incentive in this area.
My mail user agent verifies every pgp signature it reads. Automatically.
Isn't NANOG business??? I work for a big North American Network, have
been accused on being an Operator, and on rare occasions post things that
are on topic.
I'm confused ...
We have signing parties at NANOG and IETF to promote the use of trusted
e-mail.
Amen. If it's showing the text/plain as an attachment, even when there's a
'Content-Disposition: inline', the MUA is just being contrary to the point of
borkedness. There *is* a corner case in the MIME specs in that if your MUA
doesn't support multipart/signed, it is required to drop back to multipart/
mixed - and at that point, the treatment of any given text/plain is unspecified
(an MUA is free to display all as attachments, all as inline, the first as
inline and rest as attachments, or whatever choice it feels like). This
ambiguity is why RFC2183 was issued in August 1997.
I've made a *partial* fix to exmh to force generation of a Content-Disposition
tag (it's still broken for the general case, but THIS message should have a
'inline' attached to the text/plain bodypart). If it in fact isn't there,
let me know. If it's there and your MUA now Gets It Right where it didn't
used to, let me know. If it's there and your MUA *still* doesn't get it right,
let your vendor know - there's nothing else I can do about it.
If the exmh fix actually improves things for anybody, and doesn't break things,
I'll commit it to the CVS tree.
[snip]
The breakdown:
Microsoft 38.71% (not even half the way to 90%)
Mozilla 11.41%
Eudora 10.86%
ELM 6.63%
exmh 5.25%
Web Mail 5.20%
Mutt 4.70%
New MH 3.64%
VM 2.36%
Mulberry 1.90%
Gnus 1.27%
MH 0.96%
[snip]
--msa
Close, but no banana for you:
26.1534 percent, Pine
20.2465 percent, Microsoft Total (Outlook, Outlook Express, Exchange, etc)
15.5250 percent, Mutt
7.7120 percent, Microsoft Outlook
7.6985 percent, Internet Mail Service (Exchange)
5.7049 percent, Eudora
5.2738 percent, Mozilla (Netscape)
4.7013 percent, Microsoft Outlook Express
3.6102 percent, Unknown (536 messages were not identifiable)
3.2734 percent, Elm
2.1823 percent, exmh
1.6232 percent, Web Mail
1.4144 percent, Gnus/Emacs
1.2326 percent, Mulberry
0.9160 percent, VM
0.7139 percent, Yahoo!
0.4715 percent, Hotmail
0.3839 percent, Lotus Notes
0.3166 percent, The Bat!
0.3031 percent, KMail
0.2896 percent, Apple Mail
0.2694 percent, Pocomail
0.2694 percent, MH
0.2627 percent, Evolution
0.2088 percent, DMailWeb Web to Mail Gateway
0.2021 percent, Mahogany
0.1414 percent, Squirrel Mail
0.1414 percent, CommuniGate Pro Web Mailer
0.1347 percent, mh-e
0.1145 percent, IMail
0.1078 percent, Sylpheed
0.1010 percent, Microsoft-Entourage
0.1010 percent, Mew version x.xx on Emacs
0.0943 percent, dtmail 1.3.0 @(#)CDE Version
0.0741 percent, Tellurian WebMail
0.0674 percent, tin
0.0674 percent, Forte Agent
0.0539 percent, My Own Email
0.0471 percent, ZMail
0.0471 percent, Mail User's Shell
0.0404 percent, MailRoom For Internet Mail
0.0269 percent, stuphead ver. 0.5.3 (Wiskas)
0.0269 percent, MIME-tools 4.104 (Entity 4.117)
0.0202 percent, your-mom-encapsulated-in-smtp
0.0202 percent, Vivian Mail
0.0202 percent, PostOffice
0.0202 percent, Mirapoint Webmail Direct
0.0202 percent, Becky!
0.0135 percent, Excite Inbox
0.0135 percent, /bin/bash
0.0135 percent, AeroMail
0.0067 percent, XFMail
0.0067 percent, WorldClient Standard
0.0067 percent, TWIG
0.0067 percent, The Rodent, go figure.
0.0067 percent, TBBS/TIGER v1.0/PRIMP 1.56p
0.0067 percent, slrn
0.0067 percent, Opera
0.0067 percent, emacs 20.5.1 (via feedmail 8 I)
0.0067 percent, Calypso
Total messages: 14847
This resulted from checking X-Mailer, User-Agent, and Message-ID as a last
resort (yahoo, hotmail, pine..), timespan is from Feb 2001 to now.
In the wise words of Brian Hatch (author of _Hacking Linux Exposed_ and _Building Linux VPNs_):
If it ain't signed, it ain't me.
The passive assumption is that your words are
important enough that somebody might want to verify them.
Correct. This statement will be true for just about everyone, at some point in their life.
So, does EVERY
email need to be pgp signed?
Do you need to use ssh every time you access a server remotely? Surely you know when your line is being tapped or when your packets are being sniffed, and you choose only those times to use ssh, and otherwise you use telnet? Same goes for actually using passwords to login -- surely you know when it's a legitimate user that is trying to login and when it's someone trying to gain illicit access to your system, and you require them to use passwords accordingly?
When was the last time somebody on this list bothered to check the
validity of a pgp signed message which they received via nanog?
When was the last time anyone on this list bothered to check the validity of any message they received via any channel? I mean, if you're going to use probability to support your argument, you might as well widen the discussion to a much broader sample group.
I mean, if John Sidgmore posted to that from now on, Worldcom's official
pricing is $100/meg with a 3 meg commit, I wouldn't believe it for a
second unless it was signed and I verified it.
Not everything is black and white. At what level would you choose to validate a message like this?