ietf-openpgp
[Top] [All Lists]

Let's resolve the end-of-line and whitespace question

2004-02-11 13:54:05

I'm not going to be in Seoul, but one thing I think would be good to
be discussed, whether on this list, in Seoul, or both, is the textmode
end-of-line and whitespace issues.

This is not a severe interoperability problem by any means, but is an
annoyance that pops up now and again, and I think contributes in a
small way to the poor interoperability reputation that OpenPGP has.

As I understand it, there are actually two different problems here.
I'll take them in order:

1) 2440 says of the canonical text signature (sigclass 0x01):

        The signature is calculated over the text data with its line
        endings converted to <CR><LF> and trailing blanks removed.

   This is different than what every version of PGP though 8 does.
   These implementations do the <CR><LF> line endings, but do not
   remove trailing blanks (essentially PGP 2.x behavior).

2) 2440 says of the cleartext signature:

        Also, any trailing whitespace (spaces, and tabs, 0x09) at the
        end of any line is ignored when the cleartext signature is
        calculated.

   Again, PGP through 8 implements this differently than 2440 says,
   where trailing spaces are removed, but trailing tabs are not
   (again, PGP 2.x behavior).

I've seen comments that these details were inadvertent errors in 2440
that would have or should have been fixed, and requests to the WG the
change these two details in 2440bis to match the historical PGP
behavior (after all, PGP 5 predates 2440 and there is a huge installed
base of PGP 5-8).  I've also seen comments that the WG mustn't change
the published standard this many years after the fact to match
behavior already declared noncompliant.

As for me, I don't really have strong feelings for any particular
outcome of this.  What I do care about is that once 2440bis is
published, that it is clear what the "right" way to do things is and
that there will not be questions later.  I don't want it suggested
that the issue wasn't looked at.

Jon Callas pointed out in
<http://www.imc.org/ietf-openpgp/mail-archive/msg03753.html>, that if
programs would just put their particular variation on canonical text
in the literal data packet accompanying the signature, then a lot of
the problems just go away.  This is a good point, and is, in fact,
what both PGP and GnuPG do, which is one reason why #1 hasn't been a
larger problem.  Unfortunately, this practice does not handle
canonical text detached signatures or cleartext signatures, as these
have no literal data packet.  On the brighter side, this practice
means that changing one program's behavior to match the other would
not be a major backwards compatibility problem.

David