[kmail2] [Bug 439958] X-Face can break cryptographic signatures

David C. Bryant bugzilla_noreply at kde.org
Mon Sep 27 14:13:52 BST 2021


https://bugs.kde.org/show_bug.cgi?id=439958

--- Comment #14 from David C. Bryant <davidbryant at gvtc.com> ---
(In reply to Sandro Knauß from comment #13)
> I can confirm it [snip ...]
> 
> @David: can you check, if you get proper signatures, if you disable the
> picture (X-Face)? (Picture tab of the Identity).

Yes, Sandro, signatures work fine with X-Face disabled. See the screenshot I'm
adding as an attachment to this bug report today. I am using the same picture
as was in the X-Face header as my gravatar (see discussion below). So the
message appears the same (to me) both with and without embedded X-Face headers
(except that X-Face breaks the crypto signature). 

A friend referred me to this web page:
https://datatracker.ietf.org/doc/html/draft-autocrypt-lamps-protected-headers-02
and raised the question "should the X-Face header be a protected header?" I'm
not real sure of the answer. Personally, I don't care if somebody views the
wrong picture in a signed message I send. Integrity of the text message is all
I really care about. Others might feel differently, though.

One other thing. The field used to display the "X-Face" picture is also used to
display "gravatars" kept on file in KAddressbook. So people can (in effect)
attach pictures to their messages without using "X-Face" (with the recipient's
assistance). One can even configure KMail itself to search for gravatars on the
internet (Configure KMail --> Plugins --> Gravatar Config). So "X-Face" is
becoming redundant. Just a thought.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the Kdepim-bugs mailing list