Hi,
today I struggled for several hours with "charset guessing" code, that handles
cleartext signatures in outlook and I thought that maybe this situation could
be improved a bit in the future?
I dislike cleartext signatures as much as the next guy (probably more ;-) ).
The points made in [1] are valid and such messages should not be used.
But realistically I think that they won't go away.
My idea would be to define that after the Hash: header and the blank line
(which starts the hashing) that there can be:
Optionally a "Charset" Armor Header followed by one blank line,
both included in the message digest.
So a message like:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Charset: UTF-8
This is än example mässäge.
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQRwkxlKrbuKLRTTyRcpeOnUDLq6XAUCW5J/hwAKCRApeOnUDLq6
XLEJAP45MRTaU61PFP8RDaV6cvyzFqQUmXy6lvQIf2TcomOfcwEAt+oa3hUzaAGT
KEEKB1375wj2nf38Tg+FjgWKsHkKZAw=R36C
-----END PGP SIGNATURE-----
An rfc4880 implementation would just show:
----
Charset: UTF-8
This is än example mässäge.
----
Ok that is slightly ugly but it's informative and the signature will still be
verified correctly.
An rfc4880bis application could evaluate the header and omit it in the output.
Attached is a patch to the draft.
Best Regards,
Andre
1: https://dkg.fifthhorseman.net/notes/inline-pgp-harmful/
--
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
0001-Add-optional-charset-specification.patch
Description: Text Data
signature.asc
Description: This is a digitally signed message part.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp