RE: [Fsuk-manchester] Michael's PGP Signature - Re: Fsuk-manchester Digest, Vol 36, Issue 3

[Pete Morris]

>> 2. Because it contains a hash, verifying the signature also proves
>> that the message has not been changed en-route. Because it may pass
>> through several mail servers before it is posted to the list, even if
>> the original was sent by Michael, the email could be changed after it
>> was sent. It could get corrupted or it could be intercepted by someone
>> with malicious intent and modified to say something very different.

See now that raises an interesting question in itself. As you can probably see 
from my reply, unless you make a habit of personally inserting manual line 
breaks into your emails after x number of characters, your email has been 
"mangled" somewhat or somewhere along the way. The content of the email I am 
sure is identical, but the formatting of the whitespace has changed. As such, 
this email would fail the hash. If not whitespace, other characters will be 
altered and lost as the email moves between different character sets and 
encoding standards.

Does this not make email signing of non-binary encoded email somewhat academic? 
The only way I could actually check that the hash is valid against the email is 
to have a guaranteed copy of the original email, at which point the purpose is 
entirely moot. Otherwise, I can never tell the difference between a plaintext 
ASCII email which is maliciously changed and a plaintext ASCII email which has 
had whitespace alteration or similar. Without the context, I am obliged to 
assume that ALL emails are potentially modified, as none of them will match the 
hash. With 100% error rate, it begs the question why have it in the first place?

Pete