trailing spaces in signed mails

trailing spaces in signed mails

[Werner Koch]

[-- Attachment #1: Type: text/plain, Size: 1342 bytes --]

Hi!

After the release of gnupg 1.4.0 a lot of people complained that they
were not able to verify my signature anymore.  The reason for this is
due to a change in OpenPGP and thus gpg to not strip trailing white
spaces anymore for signing.  PGP/MIME (rfc 3156) defines rules on how
to protect against this problem (most PGG and OpenPGP implementations
did it differently in the past) but these rules are not follwed by
mml2015.  In particular, rfc 3156 states:

   Additionally, implementations MUST make sure that no trailing
   whitespace is present after the MIME encoding has been applied.

the example given also states:

      & Also, in some cases it might be desirable to encode any   =20
      & trailing whitespace that occurs on lines in order to ensure  =20
      & that the message signature is not invalidated when passing =20
      & a gateway that modifies such whitespace (like BITNET). =20

This message is signed and the "-- " before the signature lines should
have been send as "--=20".  I suggest to convert the last of a run of
trailing spaces to QP.  My Gnus version is v5.10.6.


Shalom-Salam,

   Werner

-- 
Werner Koch                                      <wk@gnupg.org>
The GnuPG Experts                                http://g10code.com
Free Software Foundation Europe                  http://fsfeurope.org






[-- Attachment #2: Type: application/pgp-signature, Size: 196 bytes --]

Re: trailing spaces in signed mails

[Simon Josefsson]

[-- Attachment #1: Type: text/plain, Size: 1600 bytes --]

Werner Koch <wk@gnupg.org> writes:

> Hi!
>
> After the release of gnupg 1.4.0 a lot of people complained that they
> were not able to verify my signature anymore.  The reason for this is
> due to a change in OpenPGP and thus gpg to not strip trailing white
> spaces anymore for signing.  PGP/MIME (rfc 3156) defines rules on how
> to protect against this problem (most PGG and OpenPGP implementations
> did it differently in the past) but these rules are not follwed by
> mml2015.  In particular, rfc 3156 states:
>
>    Additionally, implementations MUST make sure that no trailing
>    whitespace is present after the MIME encoding has been applied.
>
> the example given also states:
>
>       & Also, in some cases it might be desirable to encode any   =20
>       & trailing whitespace that occurs on lines in order to ensure  =20
>       & that the message signature is not invalidated when passing =20
>       & a gateway that modifies such whitespace (like BITNET). =20

Thanks, I believe I have fixed this in CVS, in both branches.

> This message is signed and the "-- " before the signature lines should
> have been send as "--=20".  I suggest to convert the last of a run of
> trailing spaces to QP.  My Gnus version is v5.10.6.

As you can see in this message, it will now be sent as =2D-=20.  If
Gnus were to translate it into '--=20', I think an OpenPGP
implementation would dash escape it, and '- --=20' would be sent,
which would be less cut'n'paste compatible with RFC 1991 (which
doesn't mention dash escaping).  Is this acceptable to you?

-- 

[-- Attachment #2: Type: application/pgp-signature, Size: 350 bytes --]

Re: trailing spaces in signed mails

[Simon Josefsson]

Simon Josefsson <jas@extundo.com> did not write:

> --=20

Sadly, the mailing list software used on the Ding list re-encode QP
messages, even PGP/MIME messages, so the signature on that message was
destroyed.  The above delimiter was sent as =2D-=20 but the list
software delivered it as --=20, which destroyed the signature.

Fortunately, this mailing list software behavior doesn't seem to be
widely deployed.