On Tue, 2015-03-17 at 12:44 -0700, Jon Callas wrote:
Just get rid of the notion of text. Make it be all binary.
Agreed 100%,.. OpenPGP should never to any conversions (e.g. for
signature verifications), hinting or anything else with respect to "text
The best thing that can happen is that nothing gets worse (cause even if
the OpenPGP implementation would do everything right, the MUA or any
other application on top/below may still mangle up data).
The worst thing that can happen, is that one could trick
users/implementations into taking things as signed in a form which they
were not intended to be signed, e.g. I deliberately only wanted to have
the file with \n EOLs to be signed, but not any \n\r. In such case
however, if a "text mode" is identified, the peer's application would
also trust that.
With character encodings things are probably even worse.
All should be binary.
Description: S/MIME cryptographic signature
openpgp mailing list