Re: [openpgp] incomplete/confusing guidance around "Hash" Armor header for cleartext signing framework

[Ángel <angel@16bits.net>]

On 2021-03-18 at 09:46 +0100, Werner Koch wrote:
> On Thu, 18 Mar 2021 02:20, Ángel said:
> 
> > I think the phrase
> > >      - One or more "Hash" Armor Headers,
> > should have been
> > >      - One or more Armor Headers,
> 
> Nope becuase ...
> 
> > Then it covers other armor headers that may be present, such as
> > "Charset:", and then it suddenly makes sense the following
> > discussion
> 
> There should be only one Charset header.

No. What I mean is that it only says «One or more "Hash" Armor
Headers,». It doesn't mention other Armor Headers. Charset was an
example I gave of other armor headers that might be there.


And yes, Charset is a weird header. It doesn't make much sense to
define it but say it may be followed or ignored and treated as utf-8
anyway. The sane thing would be to state that when encoding utf-8 MUST
be used, and receivers are not required to implement any other charset.
The behavior if they find a different charset would be up to them, they
could implement more charsets (specially interesting for old content),
show an error message, use a different charset and hope for the best...


> In any case, MIME is a way better method to define such
> properties.  Better have that only at one place to avoid conflicts -
> and the armor header are not protected which has led to questions in
> the past.
> 

I'm not so sure. If it's an armored message, the charset header will be
more right than the document MIME. If it's a clearsigned one, then
either of them may be the correct one. The only safe way would be to
specify the same charset in the MIME Content-Type as in the PGP own
Charset heaer, and that such charset is utf-8.


Best regards