On Fri, Jan 06, 2006 at 10:05:41PM +0100, Daniel A. Nagy wrote:
On Fri, Jan 06, 2006 at 02:12:58PM +0100, Werner Koch wrote:
Frankly, I believe that all headers except for Hash are not very
useful. People are often bemused if you tell them that they should
use sed to fix or add armor header lines. I am pretty sure many of
them believe that the armor header lines are part of the signed text
which does not wonder me because a line just above says "begin pgp
signed message" and not "pgp signed messages begins after the next
blank line".
That is precisely why I think that headers should not be displayed when
reporting on successful verification, but that's just a "best practice" and
has little bearing on the standard.
Otherwise, I agree with you that cleartext signed messages are least
ambiguous with just Hash headers and nothing else before the clearsigned
content. Maybe, we should consider disallowing everything else? After all,
version information and other stuff can go to the armor header of the
signature. Placing headers before the actual clearsigned content is
confusing, indeed. I don't think that many implementations use this
"feature", so by disallowing it, we might not break anythink. What do you
think?
I think it is already done this way. Section 7 says:
The cleartext signed message consists of:
- The cleartext header '-----BEGIN PGP SIGNED MESSAGE-----' on a
single line,
- One or more "Hash" Armor Headers,
- Exactly one empty line not included into the message digest,
- The dash-escaped cleartext that is included into the message
digest,
- The ASCII armored signature(s) including the '-----BEGIN PGP
SIGNATURE-----' Armor Header and Armor Tail Lines.
Seems fairly clear that the only header that should go before the text
is "Hash". Comment and/or Version would need to go in the BEGIN PGP
SIGNATURE/END PGP SIGNATURE block at the end of the document.
Does any implementation actually generate Comment and/or Version
headers before the clearsigned text (rather than in the armored
signature at the end of the clearsigned text) ?
David