today I struggled for several hours with "charset guessing" code, that handles
cleartext signatures in outlook and I thought that maybe this situation could
be improved a bit in the future?
I'll add a data point. Some years back, the PGP Desktop product added an
unsigned "Charset" header to its ASCII armor. The result looked like this:
-----BEGIN PGP SIGNATURE-----
Version: PGP SDK 4.2.1
Charset: iso-8859-1
It solved a real-world problem of intermediate software re-writing character
sets using lossless conversions. It didn't solve the security issue in your
link to DKG's post. In practice it also didn't avoid 2-pass signature
verification.
Cheers,
-Neil
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp