I just had a discussion about integrity of S/MIME and PGP. I wonder if the different parts (eg attachments and body) are signed/hashed/fingerprinted separately or is this only applied to the resulting container? I checkd some RFC and websites and it looks like the hash/signature is only for the whole message, right?
For example: If one of several attachments is extracted from a smime.p7m file, is this particular file checked for integrity (eg hashcode) or does the signature and hashes only cover the complete message?
And is this different for S/MIME and PGP?
Finally, is there a good resource (except the long to read RFCs) which is showing this?
Thanks!
The S/MIME and PGP (PGP/MIME as well as inline-PGP) specifications do not enforce what MIME parts you sign or don't sign or if you sign the top-level MIME part or individual parts.
That is all left up to the mail client to decide.
In general from what I've seen in the wild, S/MIME-capable mail clients tend to sign the top-level MIME part which means that all of the attachments along with the message body are all signed together.
PGP/MIME is very much used the same way.
For clients that use inline-PGP, they sign things individually and usually only the message body text itself and none of the attachments (although there are a few that do that as well - I think The Bat! comes to mind?)