Thank you very much.
All encrypted messages we get, and all encrypted attachments in unencrypted messages, have a PGP signature. We can verify the signatures, because we have the public key of the sender, and we have checked that it is the correct public key by verifying its fingerprint.
MDC doesn't bind contents to the sender in any way
Yes, that has been clear to me.
i.e. I may create any fake attachment (knowing invoice structure, for instance), encrypt it to your public key with MDC, and send it to you, faking all other metadata (sender, subject, headers and so on).
You could try that. But if the attachment does not contain a PGP signature, we don't trust it. If the attachment does contain a PGP signature, but that signature has been created using a private key whose public counterpart we haven't imported and trusted yet, we also don't trust the attachment.
I strongly hope that Thunderbird will throw warnings in big red letters if a PGP-encrypted attachment does not contain a PGP signature, or a signature from a sender whose public key we haven't imported or trusted yet. But I admit that I didn't test this yet.
Anyway, provided that TB behaves reasonably and checks for and verifies the signature in the attachment, we stumble across that the attachment is not signed correctly.
Exactly, you can't use encrypted attachments of a plain email and then expect it to be secure. It doesn't matter if we check the signature either: it's easy to add a signature that is technically correct.
When there is a signature which is technically correct, its verification will fail and TB will hopefully present a warning in big red letters, unless we have trusted the respective public key. Perhaps we have a different definition of what checking a signature means. In my opinion, this is a two-step-process:
- Check whether the attachment has a technically correct signature at all. If not, throw a warning in big red letters.
- Check whether we already have imported and trusted the public PGP key which corresponds to the private PGP key the signature is based on. If not, throw a warning in big red letters.
If you need security, you should have them send you secure email, not emails with "hidden content".
I still believe that there is not much difference between a regular PGP-encrypted message and a PGP-encrypted file or attachment, respectively. Messages as well as files can be signed, and in both cases, the signature can be verified in identical manner. I just have done some tests with GnuPG on the command line which confirm that statement. If you're interested in the details, I can provide the log from the terminal, which is very instructive.
If the method of verifying encrypted attachments' signatures differs from the method of verifying whole encrypted messages' signatures in Thunderbird, then this is due to the implementation, not due to the protocol or data formats.