[Webfunds-devel] [Fwd: Text canonicalization in RFC 2440 - backwards compatibility?]
Ian Grigg
iang@systemics.com
Wed, 04 Oct 2000 14:24:39 -0400
This is a multi-part message in MIME format.
--------------98DC6C4C119C28559536049F
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hmm, interesting. I hope we are not facing yet another change
to the cleartext signature method. Currently, the signature is
calculated on lines with whitespace removed and <CR>LF> added.
Another complication is the dropping of the last <CR><LF> which
Roessler does not mention below. Further, he says blanks, but
I think we remove all whitespace, including tabs.
One to watch.
iang
-------- Original Message --------
Subject: Text canonicalization in RFC 2440 - backwards compatibility?
Date: Wed, 4 Oct 2000 12:36:38 +0200
From: Thomas Roessler <roessler@does-not-exist.org>
To: "Peter J . Holzer" <hjp@wsr.ac.at>
CC: Lars Hecking <lhecking@nmrc.ie>, aleph1@SECURITYFOCUS.COM,"ietf-openpgp @ imc . org" <ietf-openpgp@imc.org>
References: <Pine.LNX.4.10.10009302120460.852-100000@localhost> <87em21kw78.fsf@cain.internet2.edu> <Pine.LNX.4.10.10009302120460.852-100000@localhost> <20001002130658.A5228@faui02.informatik.uni-erlangen.de> <20001002190646.A17974@gondor.com> <20001003153031.G32582@wsr.ac.at> <20001004100634.A22743@nmrc.ie> <20001004115529.C15434@wsr.ac.at>
[This thread got started since PGP signatures on the bugtraq list
did not verify correctly. However, these signatures are (1)
text-mode, and (2) the modification apparently concerns trailing
whitespace.]
This smells like a discrepancy between RFC 2440 and the classical
PGP implementation has crept in, and gone unnoticed for quite some
time.
Essentially, RFC 2440 says that we shouldn't observe the problems
occuring on bugtraq: Peter is generating "canonical text"
signatures. RFC 2440 says:
0x01: Signature of a canonical text document.
Typically, this means the signer owns it, created it, or
certifies that it has not been modified. The signature
is calculated over the text data with its line endings
converted to <CR><LF> and trailing blanks removed.
However, when experimenting with PGP 2.6.3in, I'm observing that
canonical text signatures _do_ take trailing whitespace into
account.
Now, let's look at the older docs: RFC 1991 doesn't seem to define
canonical text mode at all. pgpdoc2.txt from the PGP 2
distribution, however, just says this: "Canonical text has a
carriage return and a linefeed at the end of each line of text."
This is a precise description of the behaviour, and actually matches
the expectation which seems to have been implicit to RFC 2015, which
only deals with line-end canonicalization, but not with the
signature mode to be used.
To make things worse, the "clearsign" signatures of pgp2 _do_
correspond with what RFC 2440 says about canonical text documents in
general.
Now, what are the recent implementations (PGP 5/6/7, GnuPG) doing
about all this? Are they compatible:
- to each other?
- to PGP 2.6?
Or am I just confused?
On 2000-10-04 11:55:29 +0200, Peter J . Holzer wrote:
> Date: Wed, 4 Oct 2000 11:55:29 +0200
> From: "Peter J . Holzer" <hjp@wsr.ac.at>
> To: Lars Hecking <lhecking@nmrc.ie>
> Cc: Thomas Roessler <roessler@does-not-exist.org>,
> aleph1@SECURITYFOCUS.COM
> Subject: Re: rcp file transfer hole (was: scp file transfer hole)
> X-Mailer: Mutt 0.95.3i
>
> [I have included Elias in the Cc, because I think he might want to know
> about this "feature" of his mailing-list software]
>
>
> On 2000-10-04 10:06:34 +0100, Lars Hecking wrote:
> > Any idea why half the signatures on bugtraq don't check out? Do you
> > have an fcc copy of your posting that you can compare with the posted
> > message?
>
> Yes.
>
> Looks like Bugtraq strips trailing spaces from each line. This will
> garble the signature separator ("-- ") and therefore the pgp signature
> won't check out any more.
>
> I guess I should add
>
> send-hook '~t BUGTRAQ@SECURITYFOCUS.COM' 'set pgp_strict_enc'
>
> to my .muttrc.
>
> For people which don't use PGP signatures, but want their normal
> signatures to be separated correctly, it would be nice if mutt could be
> forced to use quoted printable even for ascii messages. Thomas?
>
> hp
>
> --
> _ | Peter J. Holzer | Any setuid root program that does an
> |_|_) | Sysadmin WSR / LUGA | exec() somewhere is just a less
> | | | hjp@wsr.ac.at | user friendly version of su.
> __/ | http://www.hjp.at/ | -- Olaf Kirch on bugtraq 2000-08-07
--
Thomas Roessler <roessler@does-not-exist.org>
--------------98DC6C4C119C28559536049F
Content-Type: application/pgp-signature;
name="nsmail39DB7519120079A"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="nsmail39DB7519120079A"
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogMi42LjNpbgoKaVFFVkF3
VUJPZHNJTnRJbUtVVE9hc2JCQVFFSjFnZ0FubFFQOE9yWWg0SHJQZ0NMelRERC83VDdSbEZU
a1V5dgpDa29QdDJaVnZXQUJmeTJCdjJUK2xHRS9rNlcxV3FoYitZemp6MHhib09Cc0dnYVdL
QkpWYkE3R28yU0VDUTRzCitWUnpqNFhNV1ZiMFJUV2NnNHQ3dEhkQndmcElNM2Q5aGVNcDBL
aVlnVnVIUk1rU0RJVFo4UVlRcUpjSTl4WXcKMUFDWDNRemZHQ01DS080dUNlL0tqUGVJUzZ6
TTFTemNncWpPbjZ2aWdqQ1dXQ3hYclVUQk9QN2RTYk81M2t4OApvdklYNjhlUkNuMWdJR0JV
dE5PTlcyOXI1YXZaL1NZVHQ5RlQxRDJKL2VFdmRHODJ0eU10T09vRkwxT2JMNlRnCjJ4TUdE
WDVIM0NYQWxYb0pVc0h2UHB0dTR2dTZjR3l1emRwdU5zemN0M1dBMEM2WUhMMzZxQT09Cj1L
dGk1Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQoK
--------------98DC6C4C119C28559536049F--