Re: [openpgp] OpenPGP Armor Message specification

Guillem Jover <guillem@hadrons.org> Mon, 19 October 2015 16:52 UTC

Return-Path: <guillem@master.debian.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEDC51A89A0 for <openpgp@ietfa.amsl.com>; Mon, 19 Oct 2015 09:52:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aTPD_6KhOn6r for <openpgp@ietfa.amsl.com>; Mon, 19 Oct 2015 09:52:27 -0700 (PDT)
Received: from master.debian.org (master.debian.org [IPv6:2001:41b8:202:deb:216:36ff:fe40:4001]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCBA31A8A8D for <openpgp@ietf.org>; Mon, 19 Oct 2015 09:52:24 -0700 (PDT)
Received: from guillem by master.debian.org with local (Exim 4.84) (envelope-from <guillem@master.debian.org>) id 1ZoDfa-0003s2-PO for openpgp@ietf.org; Mon, 19 Oct 2015 16:52:22 +0000
Date: Mon, 19 Oct 2015 18:52:13 +0200
From: Guillem Jover <guillem@hadrons.org>
To: openpgp@ietf.org
Message-ID: <20151019165213.GA15609@gaara.hadrons.org>
References: <20150918162458.GA14374@gaara.hadrons.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="Dxnq1zWXvFF0Q93v"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20150918162458.GA14374@gaara.hadrons.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/baM0xi1422-hyR1gK96nSmYy2vI>
Subject: Re: [openpgp] OpenPGP Armor Message specification
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2015 16:52:30 -0000

Hi!

On Fri, 2015-09-18 at 18:24:58 +0200, Guillem Jover wrote:
> As I mentioned to Werner and Daniel at DebConf 15, I think the
> specification of the OpenPGP Armor Messages has some unclear parts,
> which I think were part of the reason for several security issues
> in multiple projects due to mismatched parsing of Armor Header Lines.
> 
>   <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695919>
>   <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695932>
>   <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696230>
>   <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696234>
>   <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704613>
> 
> Here are some things that would be good to clarify in RFC4880:
> 
> * In §6.2 there's no explicit definition of what ASCII characters are
>   to be considered whitespace (contrast that with §7.1). In this case
>   GnuPG considers whitespace to be «SPACE 0x20, HT 0x09 and CR 0x0D»
>   and now most tools in Debian do too. I don't know if that matches
>   with PGP for example.
> 
> * In §7, mention that this is a specific instance of §6.2?
> 
> * In §7, probably clarify that by «empty» in:
>   «- Exactly one empty line not included into the message digest,»
>   it means «blank» as in §6.2:
>   «- A blank (zero-length, or containing only whitespace) line»

Ok, how about something along the lines of the attached patch against
RFC4880bis?

Although maybe it would be better to define "whitespace" just once
instead of inlining it in several places.

Thanks,
Guillem