HomeAboutMailing ListList Chatter /0/0 34.204.187.106

Yeah, right. flowcrypt is cute but worthless.

2020-02-26 by: Michael Harrison
From: Michael Harrison 
------------------------------------------------------
Worth knowing. If Flowcrypt verifies a signature on an email, it seems to
assume the sending email address is the correct address to display.
GPG shows the list address. but FlowCrypt shows MY email address name.

So you can't trust Flowcrypt. I would think it would show the signature
that signed it. ie: Signed by:  chugalug@chugalug.org . From mike@...



$ gpg --verify ./fooz
gpg: Signature made Wed 26 Feb 2020 12:25:06 AM UTC
gpg:                using RSA key A7161401320B1A73E7EE0F73E2281DB4AF4615F5
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   4  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   4  signed:   0  trust: 4-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2023-02-22
gpg: Good signature from "Chugalug (mailing list) "
[full]
[image: image.png]

=============================================================== From: Adam Jimerson ------------------------------------------------------ It does not seem to be designed with mailing lists in mind. Still need to see how well Mailvelope works in a list context, but that will need to wait until the list plays nice with inbound signing/encryption. ;)

=============================================================== From: Adam Jimerson ------------------------------------------------------ Well it seems as though Mailvelope falls short as well. It was able to detect and correctly decrypt Mike's original email, but it fails to validate the signature due to the fact the key that signed the email is the lists not Mikes.

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ Maybe I'm thinking wrong abouting letting a list essentially proxy and sign for a different sender. Todays not a day to play much. Adding functionality to a fax server. Loads of fun. ;) Wouild expect a "Signed by: chugalug... Sender is: mike@..." warning. Maybe that's my issue. I appreciate your playing with me and the list. :)

=============================================================== From: Adam Jimerson ------------------------------------------------------ I did reach out to the Mailvelope devs about this [1], I would think that such a browser extension would be able to pick up on the "List-ID" or the "Mailing-list" header. I know that Kmail correctly identifies this and is able to successfully validate the signature with the Chugalug list key. I would assume that Thunderbird with the Enigmail add-on install would do the same. I don't have a box with Thunderbird+Enigmaill installed so I can't really test this. I do think you are on the right track with the headers (as at this point i trust Kmail more than I do these browser extensions). The signature also gets successfully validated by GPG after it decrypts the message [~/Downloads]=E2=94=80> gpg foo gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: encrypted with 4096-bit RSA key, ID 0xA4F797FD762D3CFA, created 2020-02-23 "Chugalug (mailing list) " gpg: encrypted with 2048-bit RSA key, ID 0xB460C43FA28FD091, created 2014-06-19 "keybase.io/vendion " gpg: foo: unknown suffix Enter new filename: fooz gpg: Signature made Wed 26 Feb 2020 09:15:24 AM EST gpg: using RSA key A7161401320B1A73E7EE0F73E2281DB4AF4615F5 gpg: Good signature from "Chugalug (mailing list) " [full] Primary key fingerprint: A716 1401 320B 1A73 E7EE 0F73 E228 1DB4 AF46 15F5 [~/Downloads]=E2=94=80> cat fooz detect Mikes. Maybe I'm thinking wrong abouting letting a list essentially proxy and sign for a different sender. Todays not a day to play much. Adding functionality to a fax server. Loads of fun. ;) One solution may be to do a detached signature and attaching the signature to the email. Maybe that will help the badly behaving clients? [1]: https://github.com/mailvelope/mailvelope/issues/722