Hi!
As I mentioned to Werner and Daniel at DebConf 15, I think the
specification of the OpenPGP Armor Messages has some unclear parts,
which I think were part of the reason for several security issues
in multiple projects due to mismatched parsing of Armor Header Lines.
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695919>
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695932>
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696230>
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696234>
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704613>
Here are some things that would be good to clarify in RFC4880:
* In §6.2 there's no explicit definition of what ASCII characters are
to be considered whitespace (contrast that with §7.1). In this case
GnuPG considers whitespace to be «SPACE 0x20, HT 0x09 and CR 0x0D»
and now most tools in Debian do too. I don't know if that matches
with PGP for example.
* In §7, mention that this is a specific instance of §6.2?
* In §7, probably clarify that by «empty» in:
«- Exactly one empty line not included into the message digest,»
it means «blank» as in §6.2:
«- A blank (zero-length, or containing only whitespace) line»
Thanks,
Guillem
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp