[Top] [All Lists]

Re: Clearsigning, MIME, etc.

2002-04-17 15:48:33

At 11:33 AM +0200 4/17/02, Thomas Roessler wrote:

Congratulations.  That was the easy part.  I suppose we agree that I
did things the right way with my message?

If I didn't, then there's something broken with signatures. :-)

In order to verify a signature I make, I suppose he'd have to
re-encode the data as presented to him from cp-1252 to utf-8.  (He
consistently reported that he could not verify the signatures I

Yes, and this is exactly the process that I insist implementers do.

To wrap things up:

- ASCII armor proper can be fixed by giving a clear specification of
  the character set issues involved: Either mandate UTF-8, or
  mandate tagging and use UTF-8 as the default.  The current
  language is considerably too fuzzy, and - I believe - mostly

UTF-8 is mandated to be the default. It always has been. All text is UTF-8
unless there is a tag telling you it isn't. If the handwaving I do in the
Charset section of 6.2 is causing problems, I will be happy to remove it. I
will also be happy to explicitly say all text is UTF-8.

My intent in any fuzziness in that language is because in the real world,
text is often tacitly tagged -- as you've mentioned in detail. The real
message is supposed to be, "go ahead and interpret it any way you want, but
you're on your own."

I suppose we could just declare that text is UTF-8. That doesn't solve the
problem completely, because there's always binary data, and if I send you
binary data that represents 8859-1, and you interpret it as 8859-15, we
still have a problem.

construct OpenPGP headers,

Eh?  You don't need to construct any OpenPGP headers with PGP/MIME.

Yes, I do. If I want to construct a clearsigned message from a MIMEd
message, I have to figure out the right spot to insert "-----BEGIN PGP
SIGNED MESSAGE-----" at the very least, and maybe a "Hash: SHA1" header,
and maybe a character set header. It's much easier for me to not verify
your signature. If it were clearsigned, I can just copy it into a text file.

The problem with getting anything implemented is that NAI does not
support PGP any more.

Well, my exercise shows it can work with no NAI involvement.

Finally, hard failures of clearsigning: You can only avoid these by
making sure that no lossy recoding happens as the data travels from
signer to verifier. Encouraging people to use utf-8 on the wire (so
there is at least no lossy recoding on the sending side) may help,
but you won't get rid of all the problems that way.

Note that both kinds of clearsigning failures don't occur with
PGP/MIME: The signed material is invariant under the transformations
which can reasonably be expected to happen.

Sure. But my grumpiness with OpenPGP/MIME is that I have no software that
does it and don't see how I'm going to get any. It's purely practical.


<Prev in Thread] Current Thread [Next in Thread>