* ding mailing list software corrupts PGP/MIME mail? @ 2003-04-18 17:18 Simon Josefsson 2003-04-19 7:21 ` Xavier Maillard 2003-04-19 9:03 ` Jochen Küpper 0 siblings, 2 replies; 9+ messages in thread From: Simon Josefsson @ 2003-04-18 17:18 UTC (permalink / raw) [-- Attachment #1: Type: text/plain, Size: 607 bytes --] On gnu.emacs.gnus it was pointed out that PGP/MIME with signatures (the '-- ' kind of signature) doesn't work properly and some posts on this list was given as examples. Since the list software seem to have have changed recently, I'm sending this to see whether it is indeed the case. The problem: Gnus encodes the signature delimiter '-- ' with QP as =2D-=20, as is required by RFC 2440, but it is changed into '--=20' (or similar) by some software, thus destroying the PGP signature. Let's see if the following delimiter is trashed too (it left my system via SMTP encoded as =2D-=20): -- [-- Attachment #2: Type: application/pgp-signature, Size: 354 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ding mailing list software corrupts PGP/MIME mail? 2003-04-18 17:18 ding mailing list software corrupts PGP/MIME mail? Simon Josefsson @ 2003-04-19 7:21 ` Xavier Maillard 2003-04-19 10:21 ` Simon Josefsson 2003-04-19 9:03 ` Jochen Küpper 1 sibling, 1 reply; 9+ messages in thread From: Xavier Maillard @ 2003-04-19 7:21 UTC (permalink / raw) Cc: ding [-- Attachment #1: Type: text/plain, Size: 1070 bytes --] <#secure method=pgpmime mode=sign> On 18 avr 2003, Simon Josefsson said: > On gnu.emacs.gnus it was pointed out that PGP/MIME with signatures > (the '-- ' kind of signature) doesn't work properly and some posts on > this list was given as examples. Since the list software seem to > have have changed recently, I'm sending this to see whether it is > indeed the case. > > The problem: Gnus encodes the signature delimiter '-- ' with QP as > =2D-=20, as is required by RFC 2440, but it is changed into '--=20' > (or similar) by some software, thus destroying the PGP signature. > Let's see if the following delimiter is trashed too (it left my > system via SMTP encoded as =2D-=20): Hmm the only thing I can see from your message is that PGG failed to recognizez your signature (marked as Failed) but I can't say it is general cuz' I've already seen other PGG signed messages with signature before. zeDek -- http://www.gnusfr.org -- French Gnus user site Anti-war disclaimer: "Bombing for peace is like fucking for virginity" [-- Attachment #2: Type: application/pgp-signature, Size: 188 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ding mailing list software corrupts PGP/MIME mail? 2003-04-19 7:21 ` Xavier Maillard @ 2003-04-19 10:21 ` Simon Josefsson 0 siblings, 0 replies; 9+ messages in thread From: Simon Josefsson @ 2003-04-19 10:21 UTC (permalink / raw) Xavier Maillard <zedek@gnu-rox.org> writes: > <#secure method=pgpmime mode=sign> > On 18 avr 2003, Simon Josefsson said: > >> On gnu.emacs.gnus it was pointed out that PGP/MIME with signatures >> (the '-- ' kind of signature) doesn't work properly and some posts on >> this list was given as examples. Since the list software seem to >> have have changed recently, I'm sending this to see whether it is >> indeed the case. >> >> The problem: Gnus encodes the signature delimiter '-- ' with QP as >> =2D-=20, as is required by RFC 2440, but it is changed into '--=20' >> (or similar) by some software, thus destroying the PGP signature. >> Let's see if the following delimiter is trashed too (it left my >> system via SMTP encoded as =2D-=20): > > Hmm the only thing I can see from your message is that PGG failed to > recognizez your signature (marked as Failed) but I can't say it is > general cuz' I've already seen other PGG signed messages with signature > before. Do you have a Message-Id? I haven't seen any PGP/MIME signed messages with the signature delimiter encoded properly as =2D-=20 on this list since the mailing list change, but I only looked at a few messages. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ding mailing list software corrupts PGP/MIME mail? 2003-04-18 17:18 ding mailing list software corrupts PGP/MIME mail? Simon Josefsson 2003-04-19 7:21 ` Xavier Maillard @ 2003-04-19 9:03 ` Jochen Küpper 2003-04-19 10:24 ` Simon Josefsson 1 sibling, 1 reply; 9+ messages in thread From: Jochen Küpper @ 2003-04-19 9:03 UTC (permalink / raw) [-- Attachment #1: Type: text/plain, Size: 1221 bytes --] On Fri, 18 Apr 2003 19:18:59 +0200 Simon Josefsson wrote: Simon> The problem: Gnus encodes the signature delimiter '-- ' with QP as Simon> =2D-=20, as is required by RFC 2440, but it is changed into '--=20' Simon> (or similar) by some software, thus destroying the PGP signature. Simon> Let's see if the following delimiter is trashed too (it left my system Simon> via SMTP encoded as =2D-=20): On Sat, 19 Apr 2003 09:21:54 +0200 Xavier Maillard wrote: Xavier> <#secure method=pgpmime mode=sign> You seem to have two #secure directives in your mail. Xavier> Hmm the only thing I can see from your message is that PGG Xavier> failed to recognizez your signature (marked as Failed) but I Xavier> can't say it is general cuz' I've already seen other PGG Xavier> signed messages with signature before. If you look at the raw message (C-u g) you can see what Simon is talking about, I believe. Then I see "- - = 2 0" (without the spaces), as expected by Simon in his original posting. Greetings, Jochen -- Einigkeit und Recht und Freiheit http://www.Jochen-Kuepper.de Liberté, Égalité, Fraternité GnuPG key: CC1B0B4D Sex, drugs and rock-n-roll [-- Attachment #2: Type: application/pgp-signature, Size: 185 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ding mailing list software corrupts PGP/MIME mail? 2003-04-19 9:03 ` Jochen Küpper @ 2003-04-19 10:24 ` Simon Josefsson 2003-04-19 18:37 ` Jason L Tibbitts III 2003-05-05 19:15 ` Jochen Küpper 0 siblings, 2 replies; 9+ messages in thread From: Simon Josefsson @ 2003-04-19 10:24 UTC (permalink / raw) Cc: ding, ding-owner Jochen Küpper <jochen@jochen-kuepper.de> writes: > If you look at the raw message (C-u g) you can see what Simon is > talking about, I believe. > > Then I see "- - = 2 0" (without the spaces), as expected by Simon in > his original posting. This is what I got too. Is the mailing list admin reading the list? I'm cc:ing it to be sure. See http://article.gmane.org/gmane.emacs.gnus.general/51606 for the entire thread. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ding mailing list software corrupts PGP/MIME mail? 2003-04-19 10:24 ` Simon Josefsson @ 2003-04-19 18:37 ` Jason L Tibbitts III 2003-05-05 19:15 ` Jochen Küpper 1 sibling, 0 replies; 9+ messages in thread From: Jason L Tibbitts III @ 2003-04-19 18:37 UTC (permalink / raw) >>>>> "SJ" == Simon Josefsson <jas@extundo.com> writes: SJ> This is what I got too. Is the mailing list admin reading the SJ> list? I'm cc:ing it to be sure. Yes, I'm reading. Yes, I'm looking into it. - J< ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ding mailing list software corrupts PGP/MIME mail? 2003-04-19 10:24 ` Simon Josefsson 2003-04-19 18:37 ` Jason L Tibbitts III @ 2003-05-05 19:15 ` Jochen Küpper 2003-05-05 20:07 ` Jason L Tibbitts III 1 sibling, 1 reply; 9+ messages in thread From: Jochen Küpper @ 2003-05-05 19:15 UTC (permalink / raw) Cc: ding=smP1P7uqpqc [-- Attachment #1: Type: text/plain, Size: 710 bytes --] On Sat, 19 Apr 2003 12:24:40 +0200 Simon Josefsson wrote: >> Then I see "- - = 2 0" (without the spaces), as expected by Simon in >> his original posting. Simon> This is what I got too. Is the mailing list admin reading the list? Simon> I'm cc:ing it to be sure. See Simon> http://article.gmane.org/gmane.emacs.gnus.general/51606 for the entire Simon> thread. AFAICT this issue is not solved yet. Is anybody working on it? Any progress? Can we expect this to be fixed sometime soon? Greetings, Jochen -- Einigkeit und Recht und Freiheit http://www.Jochen-Kuepper.de Liberté, Égalité, Fraternité GnuPG key: CC1B0B4D Sex, drugs and rock-n-roll [-- Attachment #2: Type: application/pgp-signature, Size: 185 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ding mailing list software corrupts PGP/MIME mail? 2003-05-05 19:15 ` Jochen Küpper @ 2003-05-05 20:07 ` Jason L Tibbitts III 2003-05-05 20:43 ` Simon Josefsson 0 siblings, 1 reply; 9+ messages in thread From: Jason L Tibbitts III @ 2003-05-05 20:07 UTC (permalink / raw) Cc: ding >>>>> "Jochen" == Jochen Küpper <jochen@jochen-kuepper.de> writes: Jochen> AFAICT this issue is not solved yet. Is anybody working on it? Yes, I'm working on it. I have a fix which I'm currently testing, but it will need much more testing before I can even think of putting it into production. Even then, I have doubts about whether it would be sufficient, or about whether it's even a good idea to allow messages to go out without a complete decode/scrub/encode cycle in this age of broken mail client software. Can someone point me to the exact standard that says it is illegal to encode the signature separator to "--=20". Someone mentioned RFC2440, but it doesn't include any mention at all of signature separators, quoted-printable encoding or the string "--" in a relevant context. - J< ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ding mailing list software corrupts PGP/MIME mail? 2003-05-05 20:07 ` Jason L Tibbitts III @ 2003-05-05 20:43 ` Simon Josefsson 0 siblings, 0 replies; 9+ messages in thread From: Simon Josefsson @ 2003-05-05 20:43 UTC (permalink / raw) Cc: jochen, ding Jason L Tibbitts III <tibbs@math.uh.edu> writes: >>>>>> "Jochen" == Jochen Küpper <jochen@jochen-kuepper.de> writes: > > Jochen> AFAICT this issue is not solved yet. Is anybody working on it? > > Yes, I'm working on it. I have a fix which I'm currently testing, but > it will need much more testing before I can even think of putting it > into production. Even then, I have doubts about whether it would be > sufficient, or about whether it's even a good idea to allow messages > to go out without a complete decode/scrub/encode cycle in this age of > broken mail client software. > > Can someone point me to the exact standard that says it is illegal to > encode the signature separator to "--=20". Someone mentioned RFC2440, > but it doesn't include any mention at all of signature separators, > quoted-printable encoding or the string "--" in a relevant context. RFC 3156 section 3 contains the argument why Gnus encodes the trailing blank of '-- ' signatures. (RFC 3156 doesn't cover plain OpenPGP messages, but the argument about gateways are still valid.) RFC 2440 section 7.1 contains the reason why Gnus escapes leading '-'. (If we let the OpenPGP implementation escape it, using the dash escape algorithm, the output is not backwards compatible with RFC 1991, which didn't describe dash escaping. And we want to support PGP 2.x.) 3. Content-Transfer-Encoding restrictions Multipart/signed and multipart/encrypted are to be treated by agents as opaque, meaning that the data is not to be altered in any way [2], [7]. However, many existing mail gateways will detect if the next hop does not support MIME or 8-bit data and perform conversion to either Quoted-Printable or Base64. This presents serious problems for multipart/signed, in particular, where the signature is invalidated when such an operation occurs. For this reason all data signed according to this protocol MUST be constrained to 7 bits (8- bit data MUST be encoded using either Quoted-Printable or Base64). Note that this also includes the case where a signed object is also encrypted (see section 6). This restriction will increase the likelihood that the signature will be valid upon receipt. Additionally, implementations MUST make sure that no trailing whitespace is present after the MIME encoding has been applied. Note: In most cases, trailing whitespace can either be removed, or protected by applying an appropriate content-transfer-encoding. However, special care must be taken when any header lines - either in MIME entity headers, or in embedded RFC 822 headers - are present which only consist of whitespace: Such lines must be removed entirely, since replacing them by empty lines would turn them into header delimiters, and change the semantics of the message. The restrictions on whitespace are necessary in order to make the hash calculated invariant under the text and binary mode signature mechanisms provided by OpenPGP [1]. Also, they help to avoid compatibility problems with PGP implementations which predate the OpenPGP specification. Note: If any line begins with the string "From ", it is strongly suggested that either the Quoted-Printable or Base64 MIME encoding be applied. If Quoted-Printable is used, at least one of the characters in the string should be encoded using the hexadecimal coding rule. This is because many mail transfer and delivery agents treat "From " (the word "from" followed immediately by a space character) as the start of a new message and thus insert a right angle-bracket (>) in front of any line beginning with "From " to distinguish this case, invalidating the signature. Data that is ONLY to be encrypted is allowed to contain 8-bit characters and trailing whitespace and therefore need not undergo the conversion to a 7bit format, and the stripping of whitespace. Implementor's note: It cannot be stressed enough that applications using this standard follow MIME's suggestion that you "be conservative in what you generate, and liberal in what you accept." In this particular case it means it would be wise for an implementation to accept messages with any content-transfer- encoding, but restrict generation to the 7-bit format required by this memo. This will allow future compatibility in the event the Internet SMTP framework becomes 8-bit friendly. 7.1. Dash-Escaped Text The cleartext content of the message must also be dash-escaped. Dash escaped cleartext is the ordinary cleartext where every line starting with a dash '-' (0x2D) is prefixed by the sequence dash '-' (0x2D) and space ' ' (0x20). This prevents the parser from recognizing armor headers of the cleartext itself. The message digest is computed using the cleartext itself, not the dash escaped form. As with binary signatures on text documents, a cleartext signature is calculated on the text using canonical <CR><LF> line endings. The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP SIGNATURE-----' line that terminates the signed text is not considered part of the signed text. Also, any trailing whitespace (spaces, and tabs, 0x09) at the end of any line is ignored when the cleartext signature is calculated. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2003-05-05 20:43 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2003-04-18 17:18 ding mailing list software corrupts PGP/MIME mail? Simon Josefsson 2003-04-19 7:21 ` Xavier Maillard 2003-04-19 10:21 ` Simon Josefsson 2003-04-19 9:03 ` Jochen Küpper 2003-04-19 10:24 ` Simon Josefsson 2003-04-19 18:37 ` Jason L Tibbitts III 2003-05-05 19:15 ` Jochen Küpper 2003-05-05 20:07 ` Jason L Tibbitts III 2003-05-05 20:43 ` Simon Josefsson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).