On Fri, 27 Apr 2001, The IESG wrote:
The IESG has received a request from the An Open Specification for
Pretty Good Privacy Working Group to consider MIME Security with
OpenPGP <draft-ietf-openpgp-mime-06.txt> as a Proposed Standard.
draft-ietf-openpgp-mime-06.txt assumes that the
content-transfer-encoding of a body part in a multipart MIME message
will remain unchanged end to end. That assumption is not valid.
Some currently deployed mailers (including sendmail) will convert body
parts to or from 8bit content-transfer-encoding. It's quite possible
that a body part could originate in quoted-printable, be signed like
that, and be converted to 8bit before delivery.
In 1998, many messages to the IETF list ended up with headers like
this, showing conversion to 8bit during delivery of the incoming
message to the list exploder, and conversion from 8bit during delivery
of the outgoing messages to the subscribers:
X-MIME-Autoconverted: from Quoted-printable to 8bit by ietf.org id LAA20175
X-MIME-Autoconverted: from 8bit to quoted-printable by ietf.org id LAB20435
Similar behaviour is visible today in other mailing lists, but
apparently not the ietf list.
I believe that it's a mistake for OpenPGP to sign the transfer-encoded
form of any message. The signature should be over the canonical form
of the message, and signature verification should be insensitive to
changes in content-transfer-encoding.
--apb (Alan Barrett)