Sam Hartman wrote:
Do people in the working group support making the change Chris
proposes? It is unlikely to be required by the IESG and is unlikely
to delay the document either way. The question is whether people
believe that it would make the document better.
I object, most strongly!
The paragraph at the beginning states quite clearly:
================================
7. Cleartext signature framework
It is desirable to be able to sign a textual octet
stream without ASCII armoring the stream itself, so the
signed text is still readable without special software. In
order to bind a signature to such a cleartext, this
framework is used. (Note that this framework is not intended
to be reversible. RFC 3156 defines another way to sign
cleartext messages for environments that support MIME.)
================================
This section/feature is not to do with email. The format
*MAY* be used over email, and takes some care to permit
mailers to send that format. However, this format is about
signing documents, not sending emails. The paragraph above
quite clearly mentions the other context of sending messages
over email, by referring to RFC 3156.
Specifically, OpenPGP's cleartext signature format is used
for signing documents that might have legal import. (E.g.,
human signing that indicates that signatory
reads/understands/intends/accepts the document, something
that practically no other RFC addresses.)
According to legal context, separated signatures aren't much
use, and indeed, will likely raise costs and cause false
expectations. MIME, etc, are pretty much useless in a legal
context because there is no easy way to both prove the
signature *and* convince a skeptical audience (judge & jury)
that the document is indeed signed.
Discussions of crud, etc, miss the point. OpenPGP is not a
standard for only email encryption, and should not be
treated as only such. It *MAY* be and is widely used for
email, but should not be confused with other more custom
email encryption designs such as S/MIME, that can only be
used for email.
Likewise, his point that on "deployment of technology" is
out of place in a technology that is now 15 years old. The
RFC won't change its success one way or another.
(I have no comment on his comment about normative and other
nitpicks!)
iang
PS: For more commentary on the legal aspects of using
OpenPGP cleartext signatures see
http://iang.org/papers/ricardian_contract.html