-----BEGIN PGP SIGNED MESSAGE-----
In <iluy8uj7p99(_dot_)fsf(_at_)latte(_dot_)josefsson(_dot_)org> Simon Josefsson
<simon+ietf-822(_at_)josefsson(_dot_)org> writes:
The problem is that the above procedure is flawed, so it is not always
possible to use it in the real world. There are several problems with
that text, I believe the two major issues are:
1) It leads to invalid MIME messages on the wire. After following the
above procedure, what is sent is a message marked with CTE qp but
only the contents of the inline PGP message actually follow the QP
rules. The PGP armor itself do not follow the QP rules.
No, I don't think that is right. There are basically two ways of signing
PGP messages:
1. The "usual" way. You construct a text A, pass it through a PGP signing
engine to get text B (it will do nasty things like changing every initial
"---" on your lines to "- --"). Text B will contain the usual PGP
wrappers, your text, and the PGP sig.
You then email Text B, and if you can persuade you mailer to encode it as
7bit, then any trailing spaces (which were not included in the PGP hash,
but are still present in your text) will be protected against munging en
route. Note that it is your original text that is signed, not the QP
version.
2. Use RFC 3156 (PGP/MIME). This time the overall message is a
multipart/related. The first part contains your text, with CTE QP (thus
there are no trailing spaces remaining).
The PGP signature goes in the second part, which may or may not be encoded
(probably not, as it is all pure ASCII). Note that in this method it is
the QP version of the text that gets signed, which means that if some
well-meaning intermediate site undoes the QP, then the signature is
broken.
Just for the hell of it, I shall sign this message both ways (so the outer
signature will actually sign the inner one). Note that the inner signature
does not cover my sig at the bottom, but you can if you like watch out for
the trailing SP in my sig separator. Note that none of it will be QP
encoded because I cannot persuade this particular system to put it in QP,
so you will have to take that part on trust.
And here is a line commencing with "---", so you can see how PGP munges it
(when you check the signature, that will get undone).
- -------------------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQB8AwUBP7T5h61e6k0sFfGpAQETXAMzBDYg7HFIL+djkxKVB7Zz3E8+iWBYMRi0
KdPIpi6bmqvJyElR0GGVWylZJqdv3/th1ftB/zCTcS+iXB9siKuJDTh4Uu2I2Fpe
awIGX3CZUHr8emyRpWMqO8sLNEMu96wvnULQOmpeyg==
=vpkr
-----END PGP SIGNATURE-----
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave,
CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
pgppzqDuVR1WI.pgp
Description: PGP signature