[kmail2] [Bug 439958] X-Face can break cryptographic signatures
David C. Bryant
bugzilla_noreply at kde.org
Mon Sep 27 14:13:52 BST 2021
https://bugs.kde.org/show_bug.cgi?id=439958
--- Comment #14 from David C. Bryant <davidbryant at gvtc.com> ---
(In reply to Sandro Knauß from comment #13)
> I can confirm it [snip ...]
>
> @David: can you check, if you get proper signatures, if you disable the
> picture (X-Face)? (Picture tab of the Identity).
Yes, Sandro, signatures work fine with X-Face disabled. See the screenshot I'm
adding as an attachment to this bug report today. I am using the same picture
as was in the X-Face header as my gravatar (see discussion below). So the
message appears the same (to me) both with and without embedded X-Face headers
(except that X-Face breaks the crypto signature).
A friend referred me to this web page:
https://datatracker.ietf.org/doc/html/draft-autocrypt-lamps-protected-headers-02
and raised the question "should the X-Face header be a protected header?" I'm
not real sure of the answer. Personally, I don't care if somebody views the
wrong picture in a signed message I send. Integrity of the text message is all
I really care about. Others might feel differently, though.
One other thing. The field used to display the "X-Face" picture is also used to
display "gravatars" kept on file in KAddressbook. So people can (in effect)
attach pictures to their messages without using "X-Face" (with the recipient's
assistance). One can even configure KMail itself to search for gravatars on the
internet (Configure KMail --> Plugins --> Gravatar Config). So "X-Face" is
becoming redundant. Just a thought.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list