-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I was sent an interesting interoperability problem today with a signed
message that wouldn't verify in GnuPG. After some examination, and
once the encryption was stripped off, it seemed that it was a message
of the form:
signature packet + compressed packet (literal packet)
That is, a signature packet, followed by a compressed packet which
contained a literal packet.
In the grammar, the latest draft (and 2440 also) say that a "Signed
Message" is:
Signed Message :- Signature Packet, OpenPGP Message |
One-Pass Signed Message
GnuPG (and it seems the new PGP) generate the One-Pass method, but
still accept the common SIG+LITERAL construction. No problems there.
However, since a valid "OpenPGP Message" may be a "Compressed
Message", that would also make the message I received a legal
construction.
Is this the intent? And if so, in a SIG+COMPRESSED(LITERAL) message,
is the SIG issued over COMPRESSED(LITERAL) or LITERAL ?
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc2 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iEYEARECAAYFAj8oAcIACgkQ4mZch0nhy8nJDwCfSJWF6kyPCftYxSxt8XrpFI/I
oIsAoNsuRokjGOdrBu1lKlUUnBJnCXb5
=4pFJ
-----END PGP SIGNATURE-----