On Sat, 8 Sep 2018 20:27, aheinecke(_at_)intevation(_dot_)de said:
Mostly because in an Application you can already use the information from the
header before you do any OpenPGP parsing / signature verification.
Verification tools already need to consider an unsigned armor header to
figure out the digest algorithm to use. However, this is sometimes not
enough because some tools used to have peculiar interpretation of white
space and line endings or the "Hash" header line was missing. Thus, for
one-pass processing running a second hash context was (or well, is)
useful. Adding a "Charset" header and automatically try to convert
would lead to an even more complex verification step. I don't think
that is justified.
Better have a way to sign the character set info and present this to the
user in the Good and in the Bad verification case. On a bad
verification the user can then choose to convert and try a verification
again. That would not be a one-pass processing anymore but for the ugly
cleartext signatures this seems to be acceptable.
I would thus suggest this new standard notation:
##### The 'charset' Notation
The "charset" notation is a description of the character set used to
encode the signed plaintext. The default value is "UTF-8". If used,
the value MUST be encoded as human readable and MUST be present in the
hashed subpacket section of the signature. This notation is useful
for cleartext signatures in cases where it is not possible to encode
the text in UTF-8. By having the used character set a part of the
signed data, attacks exploiting different representation of code
points will be mitigated.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgpvhmtK4bLSp.pgp
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp