Randall Gellens <randy(_at_)qualcomm(_dot_)com> writes:
An updated draft which is intended to replace RFC 2646 has been sent
in; because of the crush of last-minute submissions, there may be a
delay before the announcement appears. During this time it is
available at
<ftp://ftp.pensive.org/Public/Randy/draft-gellens-format-bis-02.txt>.
This version reflects comments received during IETF Last Call.
The changes from the -01 version are a discussion of OpenPGP's
stripping of trailing whitespace before calculating the signature,
mention of Unicode Annex 14, and some text clean-ups/clarifications .
Thanks for adding the OpenPGP discussion. Given the subtleness of the
issue, I believe the document should not only mention it, but also
give normative advice on how the combination of OpenPGP and
format=flowed is to be implemented. Otherwise implementors will
ignore the problem, as they do today.
When I look at how to properly implement both OpenPGP and
format=flowed, I can't come to any other conclusion than that security
is more important than maintaining soft paragraph breaks. That means
a client should not flow OpenPGP signed data, when it present the
outcome as something that OpenPGP guarantee is what the sender sent.
If the client would flow a message, someone in transit may modify the
rendering of a message without being detected by OpenPGP.
Repeating the text from RFC 2440, saying that PGP/MIME aka RFC 3156
SHOULD be used in messaging applications, may be sufficient. Perhaps
promote it to MUST within the scope of flowed messages.
Thanks,
Simon