Daniel A. Nagy wrote:
On Mon, Oct 10, 2005 at 11:43:05AM +0100, Ben Laurie wrote:
Section 7 says that the last bit of a cleartext signature is:
"The ASCII armored signature(s) including the '-----BEGIN PGP
SIGNATURE-----' Armor Header and Armor Tail Lines."
This is ambiguous, since in previous sections "Armor Header" has
referred to name/value pairs, of which there could be none or more than
one, and not the "-----blah-----" line, which is called the "Armor
Header Line".
Since I have seen signature both with and without headers (i.e. some
with no headers do not have a blank line between the header line and the
armoured text), I'd like to know what is actually correct here!
Most implementations that I have encountered or written use headers in the
signanture part of clearsigned documents and in the absence of any still
leave an empty line. I think, this is the correct behavior, though the
"be liberal in what you accept and conservative in what you send" mantra
would imply that implementations MAY accept signatures without an empty
line, but MUST NOT generate them.
That mantra has shown to be a less than great idea recently, since it
promotes interestingly obscure security holes, so I still would like to
know what the correct behaviour is, and I'd like the I-D to accurately
document that behaviour.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff