[openpgp] A way to securely define cleartext signature charset

Hi,

today I struggled for several hours with "charset guessing" code, that handles
cleartext signatures in outlook and I thought that maybe this situation could
be improved a bit in the future?

I dislike cleartext signatures as much as the next guy (probably more ;-) ).
The points made in [1] are valid and such messages should not be used.
But realistically I think that they won't go away.

My idea would be to define that after the Hash: header and the blank line
(which starts the hashing) that there can be:

Optionally a "Charset" Armor Header followed by one blank line,
both included in the message digest.

So a message like:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Charset: UTF-8

This is än example mässäge.
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQRwkxlKrbuKLRTTyRcpeOnUDLq6XAUCW5J/hwAKCRApeOnUDLq6
XLEJAP45MRTaU61PFP8RDaV6cvyzFqQUmXy6lvQIf2TcomOfcwEAt+oa3hUzaAGT
KEEKB1375wj2nf38Tg+FjgWKsHkKZAw=R36C
-----END PGP SIGNATURE-----


An rfc4880 implementation would just show:
----
Charset: UTF-8

This is än example mässäge.
----

Ok that is slightly ugly but it's informative and the signature will still be
verified correctly.
An rfc4880bis application could evaluate the header and omit it in the output.


Attached is a patch to the draft.


Best Regards,
Andre


1: https://dkg.fifthhorseman.net/notes/inline-pgp-harmful/
--
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

0001-Add-optional-charset-specification.patch
Description: Text Data

signature.asc
Description: This is a digitally signed message part.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp