Using PGP with Eudora

by Julian Y. Koh (kohster@mac.com)

If you're reading this document, I assume that you know what PGP is and the basics of how it works. If not, you should download PGP and read the documentation and numerous FAQ's about PGP that are available all over the Net.

The purpose of this document is to outline some of the issues I have experienced while using PGP and the MacOS version of Eudora. Some of these issues and their solutions also apply to other versions of Eudora and/or to email clients other than Eudora, but for the most part, I am only going to deal with Mac Eudora and PGP. Screenshots and examples have been taken from PGP Desktop Security 7.0 and Eudora 5.0.

Having said all of that, while I do welcome questions and comments, please do not ask questions about the basic concepts of PGP operations or Eudora operations; a wealth of knowledge exists on those two topics already. Please do not hesitate to let me know if you have any comments or questions about the topics discussed on this page, though!

If you are interested in obtaining my PGP public key, you can find it at <http://bunnytoaster.nsg.northwestern.edu/julian/pgppubkey.html>.

Finally, everything here is solely my opinion formed through my own personal experience. It does not necessarily reflect the official opinions of Qualcomm, PGP, NAI, or any other entity other than myself.

PGPMenu

It is not advised to use the PGPMenu for PGP operations within Eudora. Use the EMSAPI plugin or the buttons in the message window button bar.

Button Bar vs. Plugin

The first issue that always comes up when using PGP and Eudora is "Should I use the buttons in the message window button bar to sign/encrypt, or should I use the EMSAPI plugin commands which are accessed under the Edit menu?" I vote for the plugin, and here's why.

Message Window Buttons
Figure 1. Message Window Button Bar. The buttons for
PGP Encrypt and PGP Sign are the 2 rightmost buttons.
Thanks to Anthony Greene for the improved screenshot.

If you use the buttons, PGP operations are not actually performed on your message text until the message is actually getting sent to your outgoing SMTP mail server. This results in several bad things:

If anyone gains access to your computer, the text you thought was encrypted could be easily captured and read. The text you had signed could be altered in your Out mailbox to make it look like you said something that you really didn't. On the other hand, if you store encrypted messages in your Out mailbox, you lose the ability to search for the contents of the original message. If you are at all concerned about the security of the files on your hard drive, you should employ some sort of encryption tool that lets you securely store your files. I use PGPDisk, which comes with PGP Personal Privacy and PGP Desktop Security.

Also, when you use the buttons to sign, your Eudora signature ends up being part of the signed message. This may not necessarily be a bad thing, keep in mind that if you use the proper signature delimiter at the beginning of your signature ("-- "), the process of signing will change this to "- -- ". Why does this happen? Well, PGP looks for lines that begin with consecutive dashes in order to find the start and end of messages, as well as its own signature block. Thus, the signing process breaks up any lines that start with 2 or more consecutive dashes in order to avoid confusion. After this happens, your recipients' email clients will not be able to properly tell where the body of your message ends and the signature begins.

Given all of that, I use the plugin commands to sign and encrypt my text directly within the message window, before queueing and sending the messages. Now, as you will see in later parts of this page, using the buttons can actually solve most of the other problems that I discuss, so you should decide for yourself which path you want to follow.

PGP/MIME

PGP/MIME is a standard way of MIME-encoding PGP-signed/encrypted text. You can only send PGP/MIME-encoded messages if you use the button bar to sign/encrypt, and if you have turned on the PGP/MIME option in the Email section of the PGP Preferences.

PGP Email Preferences
Figure 2. PGP Email Preferences

What do I have against PGP/MIME? Not too much. My only real complaint is that Eudora receives PGP/MIME messages as attachments, and thus they are saved as separate files within whatever folder you have designated for your attachment folder. If you don't like cluttering up this folder with lots of attachments, ask people not to use PGP/MIME when sending you signed/encrypted messages. Also, if you're not sure if your recipients are using MIME-capable email clients, you shouldn't use PGP/MIME.

A very minor complaint about PGP/MIME as implemented in Eudora is that you have to double-click the attachment icon before you can read the contents. This is the smallest of nitpicks.

PGP/MIME-encoded message
Figure 3. A PGP/MIME-Encoded Message

Format=Flowed

With Eudora 4.x, Qualcomm introduced a feature known as format=flowed. You can read all about it at <http://www.eudora.com/techsupport/kb/1625hq.html>. In short, format=flowed (or f=f for short) is a new way of sending text via email in order to facilitate more pleasing wrapping and quoting of text. For the most part, they have succeeded in this objective. However, once PGP enters into the equation, f=f ends up causing more problems than it solves.

The problem mostly centers around how Eudora displays this f=f text. Instead of showing the traditional quote characters (>) at the beginning of each quoted line, a black "excerpt bar" is used instead. Now, the beauty of f=f is that the quote marks are actually there in the text, so anyone using an email client that doesn't support f=f will actually see them, and it will look totally normal to them.

Format=Flowed Quoted Text
Figure 4. Format=Flowed Quoted Text in a Reply

However, this beauty is also the main problem as far as PGP is concerned. Because the quote marks aren't displayed in a Eudora window, when you sign/encrypt a message within the message window, the quote marks aren't inserted into the quoted text, so the quoted text ends up unquoted!

Format=Flowed Signed Reply
Figure 5. Format=Flowed Signed Reply

The same thing happens when decrypting. Because the message gets encrypted without any quote marks, the quoted text will not appear as quoted when you decrypt the message.

Now, the easiest way to end up with the proper quoting is to use the button bar buttons to sign/encrypt your messages. However, if you decide not to use the buttons, then you will want to turn off format=flowed completely. This is done in Mac Eudora by using <x-eudora-setting:260=1>. For those of you who do not know what X-Eudora-Settings are or how to use them, read <http://www.eudora.com/techsupport/kb/2116hq.html>.

In Windows Eudora, add the following lines to your eudora.ini file in the [Settings] section:

AlwaysExcerptResponse=0
ConvertFormatFlowedtoExcerpt=0
InterpretFormatFlowed=0
Quoted Signed Text with Format=Flowed Disabled
Figure 6. Quoted Text in a Signed Reply with Format=Flowed Disabled

Styled Text

Since Eudora uses the excerpt bars to display quoted styled text, you encounter the exact same situation that you do with format=flowed text - the excerpt bars disappear from PGP-signed quoted text, as illustrated above. Again, you can get around the problem by using the button bar buttons to sign/encrypt your messages. If you don't want to do that, you can manually remove all the style information from the quoted text. This can be a pain. Luckily, Qualcomm added another x-eudora-setting which makes this very easy. <x-eudora-setting:283=y> When you set this value, all quoted text has style information removed, and the resultant text is hard wrapped. Qualcomm recommends against doing this, since if you use it with format=flowed it will end up undoing up much that f=f tries to accomplish. However, if you've already disabled f=f, there's no problem at all with it.

Note that the use of styled text may interfere with PGP operations, since styled text contains things like invisible formatting codes and characters and soft line breaks which may cause your messages to become undecryptable or to show bad signatures. For this reason, whenever you use PGP, make sure to use plain text only to ensure the best results. I won't go so far as to decry styled text altogether, since I believe there are actually some instances when styled text is useful, but that can be the subject of another page at another time. "Julian's Top 20 Hated Email Practices", or something like that.

Attachments

Attachments are not included in the signed/encrypted portion of a Eudora message unless you use the buttons in the button bar for signing/encrypting.

URL's Longer than 80 Characters

Tt is good practice to enclose URL's in <> brackets, a la RFC1738. This is especially important when you have URL's which span more than a single line. The process of sending the message can insert a linebreak character into your URL, which will result in your recipients' having to manually remove the linebreak character (which usually shows up as %0D) before accessing the URL.

When you manually sign a message using the manual EMSAPI plugin commands as opposed to the buttons in the button bar, you end up with one of these linebreaks in the URL. Thus, when you send a URL which is longer than a single line, make sure you use the button bar (you can still disable PGP/MIME) to sign your messages to avoid annoying your recipients.

GnuPG (GNU Privacy Guard)

When GnuPG (aka GPG) users encrypt and sign messages which are read using Mac Eudora, the signature usually ends up being "bad" because of the way GnuPG handles linefeed characters. At the end of every line, the Eudora user will see a little box denoting a UNIX-style linefeed. This problem does not occur when the sender is using PGP for Unix.

New Keys

If you add new keys to your PGP keyring while Eudora is running, you will not be able to use those new keys for PGP operations until you quit and relaunch Eudora.

Comment String

Using the stock Eudora PGP Plugin included with PGP Desktop Security 7.0, only the first 4 characters of your PGP Comment String are displayed in a signed/encrypted message. The comment string is most often used to provide directions on where to get a user's public key or PGP itself. According to Will Price from NAI, an updated version of the plugin should be shipping in an update to the product, time unknown. However, if you contact PGP Support directly, they may be able to supply you with a beta copy of the plugin.

PGP Desktop Security 7.0.3 for Mac OS was released on January 16. The PGP Plugin included with that version does not have the bug noted above.

Links

This is by no means intended to be anything resembling an exhaustive list of links. However, these links should give you a good grounding in Eudora and PGP.

<http://www.McCune.cc/PGP.htm> - Tom McCune's PGP page; one of the best FAQ's for PGP out there.
<http://www.pgp.com/> - The Official Network Associates PGP Pages
<http://web.mit.edu/network/pgp.html> - MIT's PGP distribution site
<http://www.emailman.com/> - Andrew Starr's excellent site for all things email-related. Includes contributions from famous Eudora users like Hank Zimmerman, Anthony Greene, and more!

Thanks

A hearty thank-you to everyone who provided feedback and assistance with the construction and content of this page! You know who you are.


Last Updated on February 27, 2004.
All content on this page is ©2000, 2001, 2002, 2003, 2004 by Julian Y. Koh.
Unauthorized use prohibited.
Please send all comments and questions to kohster@mac.com.
Built with BBEdit!!