ietf-openpgp
[Top] [All Lists]

Re: Clearsigning, MIME, etc.

2002-04-17 16:50:26

On 2002-04-17 15:46:51 -0700, Jon Callas wrote:

In order to verify a signature I make, I suppose he'd have to re-encode the data as presented to him from cp-1252 to utf-8. (He consistently reported that he could not verify the signatures I made.)

Yes, and this is exactly the process that I insist implementers do.

... as opposed to users!

UTF-8 is mandated to be the default. It always has been. All text is UTF-8 unless there is a tag telling you it isn't. If the handwaving I do in the Charset section of 6.2 is causing problems, I will be happy to remove it. I will also be happy to explicitly say all text is UTF-8.

The handwaving sends one message: "In theory, it's all utf-8. In practice, forget about character sets." And that's, it seems, how things are implemented nowadays.

I suppose we could just declare that text is UTF-8.

I'd certainly prefer that approach. Whatever is inside a type 't' literal packet is considered to be utf-8.

In that case, there's no need for a charset header, except with clearsigning, where it should indicate the character set in which the cleartext has been represented while the hash. From a systematic point of view, it would be reasonable to assume utf-8 unless stated otherwise. From a practical point of view, conversion should only be done if an explicitly-given character set (Charset header) is different from the one used to represent the data (to be determined out-of-band, for instance by using nl_langinfo(CODESET)). If no Charset header is given, no recoding should happen.

construct OpenPGP headers,

Eh?  You don't need to construct any OpenPGP headers with PGP/MIME.

Yes, I do. If I want to construct a clearsigned message from a MIMEd message, I have to figure out the right spot to insert "-----BEGIN PGP SIGNED MESSAGE-----" at the very least, and maybe a "Hash: SHA1" header, and maybe a character set header. It's much easier for me to not verify your signature. If it were clearsigned, I can just copy it into a text file.

Don't do that. Just save the first MIME part (in on-the-wire format, including headers; ups) to one file, the signature to a second one, and treat it as a detached signature.

The problem with getting anything implemented is that NAI does not support PGP any more.

Well, my exercise shows it can work with no NAI involvement.

Of course. However, that implementation is still around, and still the most widely used one on the most widely used platform, I'd guess.

--
Thomas Roessler                        <roessler(_at_)does-not-exist(_dot_)org>

<Prev in Thread] Current Thread [Next in Thread>