[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clearsigning, MIME, etc.

To: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
Subject: Re: Clearsigning, MIME, etc.
From: Jon Callas <jon@xxxxxxxxxx>
Date: Wed, 17 Apr 2002 15:46:51 -0700
Cc: ietf-openpgp@xxxxxxx
In-reply-to: <20020417093357.GA18863@xxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
References: <B8E2187F.DB2%jon@xxxxxxxxxx> <20020417093357.GA18863@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx

At 11:33 AM +0200 4/17/02, Thomas Roessler wrote:

>Congratulations.  That was the easy part.  I suppose we agree that I
>did things the right way with my message?
>

If I didn't, then there's something broken with signatures. :-)

>In order to verify a signature I make, I suppose he'd have to
>re-encode the data as presented to him from cp-1252 to utf-8.  (He
>consistently reported that he could not verify the signatures I
>made.)
>

Yes, and this is exactly the process that I insist implementers do.

>To wrap things up:
>
> - ASCII armor proper can be fixed by giving a clear specification of
>   the character set issues involved: Either mandate UTF-8, or
>   mandate tagging and use UTF-8 as the default.  The current
>   language is considerably too fuzzy, and - I believe - mostly
>   ignored.
>

UTF-8 is mandated to be the default. It always has been. All text is UTF-8
unless there is a tag telling you it isn't. If the handwaving I do in the
Charset section of 6.2 is causing problems, I will be happy to remove it. I
will also be happy to explicitly say all text is UTF-8.

My intent in any fuzziness in that language is because in the real world,
text is often tacitly tagged -- as you've mentioned in detail. The real
message is supposed to be, "go ahead and interpret it any way you want, but
you're on your own."

I suppose we could just declare that text is UTF-8. That doesn't solve the
problem completely, because there's always binary data, and if I send you
binary data that represents 8859-1, and you interpret it as 8859-15, we
still have a problem.

>>construct OpenPGP headers,
>
>Eh?  You don't need to construct any OpenPGP headers with PGP/MIME.

Yes, I do. If I want to construct a clearsigned message from a MIMEd
message, I have to figure out the right spot to insert "-----BEGIN PGP
SIGNED MESSAGE-----" at the very least, and maybe a "Hash: SHA1" header,
and maybe a character set header. It's much easier for me to not verify
your signature. If it were clearsigned, I can just copy it into a text file.

>The problem with getting anything implemented is that NAI does not
>support PGP any more.
>

Well, my exercise shows it can work with no NAI involvement.

>
>Finally, hard failures of clearsigning: You can only avoid these by
>making sure that no lossy recoding happens as the data travels from
>signer to verifier. Encouraging people to use utf-8 on the wire (so
>there is at least no lossy recoding on the sending side) may help,
>but you won't get rid of all the problems that way.
>
>
>Note that both kinds of clearsigning failures don't occur with
>PGP/MIME: The signed material is invariant under the transformations
>which can reasonably be expected to happen.

Sure. But my grumpiness with OpenPGP/MIME is that I have no software that
does it and don't see how I'm going to get any. It's purely practical.

	Jon

Follow-Ups:
- Re: Clearsigning, MIME, etc.
  - From: Thomas Roessler

References:
- Clearsigning, MIME, etc.
  - From: Jon Callas
- Re: Clearsigning, MIME, etc.
  - From: Thomas Roessler

Prev by Date: Re: literal data packet tags - nit
Next by Date: What's left before a new RFC?
Previous by thread: Re: Clearsigning, MIME, etc.
Next by thread: Re: Clearsigning, MIME, etc.
Index(es):
- Date
- Thread