That's a good discussion, but it doesn't cover the case of a detached
signature on a text document. In that case the document is not subject
to OpenPGP text canonicalization on signature creation, and hence cannot
be assumed to have been canonicalized on signature verification.
We could just rule this case out. I think that's what Jon's analysis
would suggest. If you can't canonicalize it, you can't call it text.
However there may be some people who would like to use this feature.
They want to sign a text document which they are distributing, but they
want to put the signature in a separate file. That way the text document
is accessible to everyone without being cluttered with crypto crud.
The problem with this case is that text documents tend to get transported
in two ways, using such transports as FTP. One way converts the document
to the native text format of the recipient machine, generally just
converting line endings. The other way preserves the document unchanged.
Ideally, we could adopt conventions which would allow most of these
cases to work correctly. We won't be able to handle every variant and
every machine's notion of text, because there are so many obscure ones
out there. But we could capture the great majority of cases with some
simple rules.
These rules are that the document should be canonicalized with all of
CRLF, CR and LF being treated as line endings, and being turned into
CRLF for hash purposes. This was what I proposed. I continue to believe
that this simple rule provides the maximum flexibility to the end user.
Hal Finney