[This thread got started since PGP signatures on the bugtraq list
did not verify correctly. However, these signatures are (1)
text-mode, and (2) the modification apparently concerns trailing
whitespace.]
This smells like a discrepancy between RFC 2440 and the classical
PGP implementation has crept in, and gone unnoticed for quite some
time.
Essentially, RFC 2440 says that we shouldn't observe the problems
occuring on bugtraq: Peter is generating "canonical text"
signatures. RFC 2440 says:
0x01: Signature of a canonical text document.
Typically, this means the signer owns it, created it, or
certifies that it has not been modified. The signature
is calculated over the text data with its line endings
converted to <CR><LF> and trailing blanks removed.
However, when experimenting with PGP 2.6.3in, I'm observing that
canonical text signatures _do_ take trailing whitespace into
account.
Now, let's look at the older docs: RFC 1991 doesn't seem to define
canonical text mode at all. pgpdoc2.txt from the PGP 2
distribution, however, just says this: "Canonical text has a
carriage return and a linefeed at the end of each line of text."
This is a precise description of the behaviour, and actually matches
the expectation which seems to have been implicit to RFC 2015, which
only deals with line-end canonicalization, but not with the
signature mode to be used.
To make things worse, the "clearsign" signatures of pgp2 _do_
correspond with what RFC 2440 says about canonical text documents in
general.
Now, what are the recent implementations (PGP 5/6/7, GnuPG) doing
about all this? Are they compatible:
- to each other?
- to PGP 2.6?
Or am I just confused?
On 2000-10-04 11:55:29 +0200, Peter J . Holzer wrote:
Date: Wed, 4 Oct 2000 11:55:29 +0200
From: "Peter J . Holzer" <hjp(_at_)wsr(_dot_)ac(_dot_)at>
To: Lars Hecking <lhecking(_at_)nmrc(_dot_)ie>
Cc: Thomas Roessler <roessler(_at_)does-not-exist(_dot_)org>,
aleph1(_at_)SECURITYFOCUS(_dot_)COM
Subject: Re: rcp file transfer hole (was: scp file transfer hole)
X-Mailer: Mutt 0.95.3i
[I have included Elias in the Cc, because I think he might want to know
about this "feature" of his mailing-list software]
On 2000-10-04 10:06:34 +0100, Lars Hecking wrote:
Any idea why half the signatures on bugtraq don't check out? Do you
have an fcc copy of your posting that you can compare with the posted
message?
Yes.
Looks like Bugtraq strips trailing spaces from each line. This will
garble the signature separator ("-- ") and therefore the pgp signature
won't check out any more.
I guess I should add
send-hook '~t BUGTRAQ(_at_)SECURITYFOCUS(_dot_)COM' 'set pgp_strict_enc'
to my .muttrc.
For people which don't use PGP signatures, but want their normal
signatures to be separated correctly, it would be nice if mutt could be
forced to use quoted printable even for ascii messages. Thomas?
hp
--
_ | Peter J. Holzer | Any setuid root program that does an
|_|_) | Sysadmin WSR / LUGA | exec() somewhere is just a less
| | | hjp(_at_)wsr(_dot_)ac(_dot_)at | user friendly version of su.
__/ | http://www.hjp.at/ | -- Olaf Kirch on bugtraq 2000-08-07
--
Thomas Roessler <roessler(_at_)does-not-exist(_dot_)org>
pgpZRnVf6spMq.pgp
Description: PGP signature