Re: [openpgp] incomplete/confusing guidance around "Hash" Armor header for cleartext signing framework

Ángel <> Fri, 19 March 2021 00:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 194A63A109C for <>; Thu, 18 Mar 2021 17:43:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Uq_KdXeazVMZ for <>; Thu, 18 Mar 2021 17:43:45 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 601513A109A for <>; Thu, 18 Mar 2021 17:43:44 -0700 (PDT)
Message-ID: <>
From: =?ISO-8859-1?Q?=C1ngel?= <>
Date: Fri, 19 Mar 2021 01:43:42 +0100
In-Reply-To: <>
References: <> <> <>
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [openpgp] incomplete/confusing guidance around "Hash" Armor header for cleartext signing framework
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Mar 2021 00:43:47 -0000

On 2021-03-18 at 09:46 +0100, Werner Koch wrote:
> On Thu, 18 Mar 2021 02:20, Ángel said:
> > I think the phrase
> > >      - One or more "Hash" Armor Headers,
> > should have been
> > >      - One or more Armor Headers,
> Nope becuase ...
> > Then it covers other armor headers that may be present, such as
> > "Charset:", and then it suddenly makes sense the following
> > discussion
> There should be only one Charset header.

No. What I mean is that it only says «One or more "Hash" Armor
Headers,». It doesn't mention other Armor Headers. Charset was an
example I gave of other armor headers that might be there.

And yes, Charset is a weird header. It doesn't make much sense to
define it but say it may be followed or ignored and treated as utf-8
anyway. The sane thing would be to state that when encoding utf-8 MUST
be used, and receivers are not required to implement any other charset.
The behavior if they find a different charset would be up to them, they
could implement more charsets (specially interesting for old content),
show an error message, use a different charset and hope for the best...

> In any case, MIME is a way better method to define such
> properties.  Better have that only at one place to avoid conflicts -
> and the armor header are not protected which has led to questions in
> the past.

I'm not so sure. If it's an armored message, the charset header will be
more right than the document MIME. If it's a clearsigned one, then
either of them may be the correct one. The only safe way would be to
specify the same charset in the MIME Content-Type as in the PGP own
Charset heaer, and that such charset is utf-8.

Best regards