[Top] [All Lists]

Re: Format=Flowed/RFC 2646 Bis (-02)

2003-11-14 10:15:54

In <iluy8uj7p99(_dot_)fsf(_at_)latte(_dot_)josefsson(_dot_)org> Simon Josefsson 
<simon+ietf-822(_at_)josefsson(_dot_)org> writes:

The problem is that the above procedure is flawed, so it is not always
possible to use it in the real world.  There are several problems with
that text, I believe the two major issues are:

1) It leads to invalid MIME messages on the wire.  After following the
  above procedure, what is sent is a message marked with CTE qp but
  only the contents of the inline PGP message actually follow the QP
  rules.  The PGP armor itself do not follow the QP rules.

No, I don't think that is right. There are basically two ways of signing
PGP messages:

1. The "usual" way. You construct a text A, pass it through a PGP signing
engine to get text B (it will do nasty things like changing every initial
"---" on your lines to "- --"). Text B will contain the usual PGP
wrappers, your text, and the PGP sig.

You then email Text B, and if you can persuade you mailer to encode it as
7bit, then any trailing spaces (which were not included in the PGP hash,
but are still present in your text) will be protected against munging en
route. Note that it is your original text that is signed, not the QP

2. Use RFC 3156 (PGP/MIME). This time the overall message is a
multipart/related. The first part contains your text, with CTE QP (thus
there are no trailing spaces remaining).

The PGP signature goes in the second part, which may or may not be encoded
(probably not, as it is all pure ASCII). Note that in this method it is
the QP version of the text that gets signed, which means that if some
well-meaning intermediate site undoes the QP, then the signature is

Just for the hell of it, I shall sign this message both ways (so the outer
signature will actually sign the inner one). Note that the inner signature
does not cover my sig at the bottom, but you can if you like watch out for
the trailing SP in my sig separator. Note that none of it will be QP
encoded because I cannot persuade this particular system to put it in QP,
so you will have to take that part on trust.

And here is a line commencing with "---", so you can see how PGP munges it
(when you check the signature, that will get undone).

- -------------------

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv


Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web:
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, 
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

Attachment: pgppzqDuVR1WI.pgp
Description: PGP signature