IETF Logo Mail Archive

Re: Outstanding question - rule on cleartext signing last line

Ian G <iang@systemics.com> Mon, 26 December 2005 17:41 UTC

Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EqwLe-0002e4-CU for openpgp-archive@megatron.ietf.org; Mon, 26 Dec 2005 12:41:26 -0500
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA10042 for <openpgp-archive@lists.ietf.org>; Mon, 26 Dec 2005 12:40:16 -0500 (EST)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jBQHTjgZ001411; Mon, 26 Dec 2005 09:29:45 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id jBQHTjg9001410; Mon, 26 Dec 2005 09:29:45 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id jBQHTi7C001404 for <ietf-openpgp@imc.org>; Mon, 26 Dec 2005 09:29:44 -0800 (PST) (envelope-from iang@systemics.com)
Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 2870141676; Mon, 26 Dec 2005 17:29:43 +0000 (GMT)
Message-ID: <43B0285D.2020004@systemics.com>
Date: Mon, 26 Dec 2005 17:29:01 +0000
From: Ian G <iang@systemics.com>
Organization: http://financialcryptography.com/
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050921)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: David Shaw <dshaw@jabberwocky.com>
Cc: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: Outstanding question - rule on cleartext signing last line
References: <43980274.2080404@iang.org> <20051208104150.GA14918@epointsystem.org> <43981C74.1070403@systemics.com> <87bqzrhj6i.fsf@wheatstone.g10code.de> <20051208145205.GA5943@jabberwocky.com> <43AFE21B.1000102@algroup.co.uk> <20051226153615.GB7066@jabberwocky.com> <43B0184C.6010505@systemics.com> <20051226163908.GC7066@jabberwocky.com>
In-Reply-To: <20051226163908.GC7066@jabberwocky.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit

David Shaw wrote:
> As far as I can see, the current system is quite reversible.  For
> example, given a document reading "this is a test" (no line ending,
> and the last character in the file is the second t from test), here's
> a clear signature:

OK, I understand all that.  But you've added
a new rule:  on signing, always add the extra
line ending.

And that's what we want to clarify - I don't
think the spec says that.  It simply says that
the last newline is not part of the signature.

By all means, if that's what we agree on, then
we should simply state that in the spec:  always
add a newline on signing, always take it off
on reversing (verifying and stripping sig).

I'm happy with that rule - even though I don't
think that's what all implementations do.

> The final CRLF is not part of the document.  If a user/implementation
> wants a final CRLF in there that is part of the document, they need to
> add one.
> 
> Think of the "BEGIN PGP SIGNATURE" string as actually being
> "CRLF-----BEGIN PGP SIGNATURE".  It's part of the message structure
> and not part of the signed text.

Right that all makes perfect sense - to me.
Can we put that in the spec?  Here's what it
says:

     As with binary signatures on text documents, a cleartext signature
     is calculated on the text using canonical <CR><LF> line endings.
     The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP
     SIGNATURE-----' line that terminates the signed text is not
     considered part of the signed text.

     When reversing dash-escaping, an implementation MUST strip the
     string "- " if it occurs at the beginning of a line, and SHOULD warn
     on "-" and any character other than a space at the beginning of a
     line.

     Also, any trailing whitespace -- spaces (0x20) and tabs (0x09) -- at
     the end of any line is removed when the cleartext signature is
     generated.

Here's what I suggest (changes at ***):

     As with binary signatures on text documents, a cleartext signature
     is calculated on the text using canonical <CR><LF> line endings.
     The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP
     SIGNATURE-----' line that terminates the signed text is not
*** part of the signed document and SHOULD be added by implementations. ***

     When reversing dash-escaping, an implementation MUST strip the
     string "- " if it occurs at the beginning of a line, and SHOULD warn
     on "-" and any character other than a space at the beginning of a
     line.

     Also, any trailing whitespace -- spaces (0x20) and tabs (0x09) -- at
     the end of any line is removed when the cleartext signature is
     generated.

How's that?

iang

v2.23.0 | Report a Bug | By Email