On Tuesday, September 11, 2018 11:53:54 AM CEST Werner Koch wrote:
Verification tools already need to consider an unsigned armor header to
figure out the digest algorithm to use. However, this is sometimes not
enough because some tools used to have peculiar interpretation of white
space and line endings or the "Hash" header line was missing. Thus, for
one-pass processing running a second hash context was (or well, is)
useful. Adding a "Charset" header and automatically try to convert
would lead to an even more complex verification step. I don't think
that is justified.
Thinking more from the "backend" standpoint and less from the Application
using the backend this makes sense to me. A minor issue is that my Application
might temporarily show the wrong representation before the verification is done
but I guess that is indeed minor.
Better have a way to sign the character set info and present this to the
user in the Good and in the Bad verification case. On a bad
verification the user can then choose to convert and try a verification
again. That would not be a one-pass processing anymore but for the ugly
cleartext signatures this seems to be acceptable.
Yes, as for me the "User" would be my Application and not the person sitting
in front of the Computer I think that is acceptable as it can be handled
automatically.
I would thus suggest this new standard notation:
##### The 'charset' Notation
The "charset" notation is a description of the character set used to
encode the signed plaintext. The default value is "UTF-8". If used,
the value MUST be encoded as human readable and MUST be present in the
hashed subpacket section of the signature. This notation is useful
for cleartext signatures in cases where it is not possible to encode
the text in UTF-8. By having the used character set a part of the
signed data, attacks exploiting different representation of code
points will be mitigated.
I like it.
"The default value is "UTF-8"" -> Do I understand this correctly that this
basically means: If no charset notation is provided a cleartext signature MUST
be in UTF-8?
That would be great.
Thanks and best regards,
Andre
--
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
signature.asc
Description: This is a digitally signed message part.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp