Digitally signing newsgroup posts

I recently did some testing of SMIME signed newsgroup messages. First, I guess I should state how I achieved it in Mozilla Thunderbird (also works in Mozilla Application Suite, and Netscape 7):
First, set up one of your mail accounts to have a certificate for digital signing. Close Mozilla Thunderbird, and open your prefs.js file. The mail identity in which you added a certificate should have a couple of pref lines pertaining to digital signing. For instance, if it were id1, it would be:
user_pref("mail.identity.id1.sign_mail", false);
user_pref("mail.identity.id1.signing_cert_name", "certificate name here");

Copy and paste those lines to the id that pertains to your news account, and edit the id number on the pasted lines. So, if your news account is id6, you should have both:
user_pref("mail.identity.id1.sign_mail", false);
user_pref("mail.identity.id1.signing_cert_name", "certificate name here");

user_pref("mail.identity.id6.sign_mail", false);
user_pref("mail.identity.id6.signing_cert_name", "certificate name here");

(Note that if you want your messages to be automatically be signed, you can change the value of mail.identity.id6.sign_mail to true.)

Save and close the prefs.js, and start Thunderbird. Open a newsgroup, and click on “Write.” If you want to sign the message, you can go to Options -> Security -> Digitally Sign This Message.

Okay, now that we know how to do it, what happens when it’s done?

The first message I tested contained a body of one word: “test”. That message was 4KB. I got a certificate with lower encryption. The first was 2048bit, the second was 1024. The same test message with a 1024 bit key was 1KB less in size (3KB). Note that if you’re using the Face header, that will also add another KB to your message, so all in all, you could have a one word newsgroup post, that is 5KB in size.

I did a few tests in netscape.public.test to see if the messages would propagate, and how Google will take and display them. Google didn’t take them. As a matter of fact, neither did Giganews. I had to use to post them. Unsigned replies to those tests showed up on both Google and Giganews, so I did some digging. The signed messages were sent with the content-type header:
Content-Type: multipart/signed; protocol=”application/x-pkcs7-signature”; micalg=sha1; boundary=”————ms090800060705060603050107″
Both Google and Giganews filter out messages with binary attachments in text groups. Google and Giganews are treating the signature as a binary attachment. To verify this, I tried to post a signed message to giganews.test.binary, and it worked. If you want to sign your newsgroup messages, expect them to be treated as binary attachments.

Okay, the digital signatures are treated as binary attachments. How are other news clients going to display the message. What I have on my system is Thunderbird, Netscape7, Mozilla 1.7.8, Netscape Communicator 4.8, Opera 7.54, Outlook Express 6, and Xnews5.04. All, except Opera and Xnews, recognized the signature as such, and had special display for it (key, etc). Opera and Xnews just considered it an attachment and used the generic attachment display method.

If you’re posting on usenet, don’t bother. If you’re posting on a private server, make sure there’s a clear reason to digitally sign your messages, that is worth the extra 2KB, and take note of the software others are using.