From: Brad Templeton (brad@templetons.com)
Date: Mon Apr 30 2001 - 18:18:39 CDT
On Tue, May 01, 2001 at 02:54:00AM +0200, Kai Henningsen wrote:
> roessler@does-not-exist.org (Thomas Roessler) wrote on 17.04.01 in <20010417104146.B30611@sobolev.does-not-exist.org>:
>
> > Erland Sommarskog wrote:
> >
> > > But downgrading Usenet to 7-bit just to handle signed articles is
> > > not my idea of the 21st century.
> >
> > Breaking a specification so something you don't like isn't used on
> > Usenet is your idea of the 21st century?
>
> Well, it must be said that signing the encoded form *was* a seriously
> stupid idea, exactly *because* that means that changing the encoding
> breaks the signature (but does not change even one bit of the actual
> data). It *seriously* breaks the "spirit of MIME".
>
> OTOH, it was made quite a while ago, before OpenPGP, and I can see why
> OpenPGP kept it, and Usefor should tolerate that.
>
> Don't expect anyone to like it, though.
>
> MfG Kai
It was my understanding that multipart/signed is the reverse. You sign
the encoded form, and you can't re-code.
Encodings are a kludge, created to deal with old 7 bit SMTP. We should
be working our way away from them.
You don't want to sign the non-encoded form as that requires the transport
to understand the encodings in order to check the signature. The client
can't effectively check the signature -- kinda pointless to eliminate
forgeries only after you've downloaded them -- so it has to be done
in the server, which also needs it to check signed control messages.
But you want the server to be simple, and not have to understand full
MIME encodings.