[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Clearsigning, MIME, etc.
At 11:33 AM +0200 4/17/02, Thomas Roessler wrote:
>Congratulations. That was the easy part. I suppose we agree that I
>did things the right way with my message?
If I didn't, then there's something broken with signatures. :-)
>In order to verify a signature I make, I suppose he'd have to
>re-encode the data as presented to him from cp-1252 to utf-8. (He
>consistently reported that he could not verify the signatures I
Yes, and this is exactly the process that I insist implementers do.
>To wrap things up:
> - ASCII armor proper can be fixed by giving a clear specification of
> the character set issues involved: Either mandate UTF-8, or
> mandate tagging and use UTF-8 as the default. The current
> language is considerably too fuzzy, and - I believe - mostly
UTF-8 is mandated to be the default. It always has been. All text is UTF-8
unless there is a tag telling you it isn't. If the handwaving I do in the
Charset section of 6.2 is causing problems, I will be happy to remove it. I
will also be happy to explicitly say all text is UTF-8.
My intent in any fuzziness in that language is because in the real world,
text is often tacitly tagged -- as you've mentioned in detail. The real
message is supposed to be, "go ahead and interpret it any way you want, but
you're on your own."
I suppose we could just declare that text is UTF-8. That doesn't solve the
problem completely, because there's always binary data, and if I send you
binary data that represents 8859-1, and you interpret it as 8859-15, we
still have a problem.
>>construct OpenPGP headers,
>Eh? You don't need to construct any OpenPGP headers with PGP/MIME.
Yes, I do. If I want to construct a clearsigned message from a MIMEd
message, I have to figure out the right spot to insert "-----BEGIN PGP
SIGNED MESSAGE-----" at the very least, and maybe a "Hash: SHA1" header,
and maybe a character set header. It's much easier for me to not verify
your signature. If it were clearsigned, I can just copy it into a text file.
>The problem with getting anything implemented is that NAI does not
>support PGP any more.
Well, my exercise shows it can work with no NAI involvement.
>Finally, hard failures of clearsigning: You can only avoid these by
>making sure that no lossy recoding happens as the data travels from
>signer to verifier. Encouraging people to use utf-8 on the wire (so
>there is at least no lossy recoding on the sending side) may help,
>but you won't get rid of all the problems that way.
>Note that both kinds of clearsigning failures don't occur with
>PGP/MIME: The signed material is invariant under the transformations
>which can reasonably be expected to happen.
Sure. But my grumpiness with OpenPGP/MIME is that I have no software that
does it and don't see how I'm going to get any. It's purely practical.