© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
e3ace39
(Get the code!)
Split-off from bug 2920 comment 419 and bug 2920 comment 60:
If the mail client deletes attachments of a mail that happened to be
cryptographically signed by the sender, the signature gets invalid.
That's as designed, because the sig proves that the msg is not tampered with, in
the state that the sender sent it, and that intentionally includes attachments,
otherwise they wouldn't be included in the sig wrapper.
The problem here is that our mail client shows a "broken" signature, which may
be confusing to users.
Question is what to do.
- Comment 60 suggested as one solution to disable the "delete attachment"
feature completely for mails that are signed.
- Another solution would be to allow deletion of attachments, and then treat the
msg as if it never had a signature.
- Another suggestion (of mine) would be to show a special msg telling the user
that the msg used to be signed by foo, but no longer is, because the attachments
have been stripped. That poses the risk that users then treat the msg as if the
signature was still valid, which would open (social) attacks where the attacker
forges msgs which *pose* as exactly that.