Mailing List Archive

"John A. Martin" <jam@jamux.com> writes:

> What is the incantation to tell gpg to escape "From-space" lines when
> doing ascii amour or --clearsig? It seems that the pgp versions
> 2.6.3a and 5.0 that I have access to are doing "- From " lines for
> ascii amour text without being told anything special.

Because I think a MUA should cope with these starnge things.
I think it is not required by RfC2440 - can someone please look it up?

On Wed, Dec 16, 1998 at 09:15:39AM +0100, Werner Koch wrote:

>> What is the incantation to tell gpg to escape "From-space" lines
>> when doing ascii amour or --clearsig? It seems that the pgp
>> versions 2.6.3a and 5.0 that I have access to are doing "- From "
>> lines for ascii amour text without being told anything special.

> Because I think a MUA should cope with these starnge things.

I disagree. Clear signing is often used with primitive MUAs which
tend to know nothing about PGP and (often) don't do the escaping
themselves.

Thus, having gpg escape "From " lines would be seriously useful.

tlr
--
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1

Thomas Roessler <roessler@guug.de> writes:

> Thus, having gpg escape "From " lines would be seriously useful.

Okay. I'll do it.

>>>>> "Werner" == Werner Koch
>>>>> "Re: >From woes"
>>>>> Wed, 16 Dec 1998 09:15:39 +0100

Werner> "John A. Martin" <jam@jamux.com> writes:
>> What is the incantation to tell gpg to escape "From-space"
>> lines when doing ascii amour or --clearsig? It seems that the
>> pgp versions 2.6.3a and 5.0 that I have access to are doing
>> "- From " lines for ascii amour text without being told
>> anything special.

Werner> Because I think a MUA should cope with these starnge
Werner> things. I think it is not required by RfC2440 - can
Werner> someone please look it up?

RFC2440 Section 7.1. Dash-Escaped Text[1] only escapes dashes at the
beginning of lines. RFC1991, Section 2.4.1 ASCII Armor Formats,
describes a "Armor Headerline" but does not mention dash-escape.

What is a UMA to do, distinguish between rfc2440 compliant cleartext
and the rest?

Would a gpg option to do something like ">From " before signing be in
order to try to prevent mutilation by mail systems?

jam

Footnotes:
[1] Here is the text. A grep on "escape" and "dash" found nothing
else relevant.

-------------- cut here ---->8 ---< head

7.1. Dash-Escaped Text

The cleartext content of the message must also be dash-escaped.
Dash escaped cleartext is the ordinary cleartext where every line
starting with a dash '-' (0x2D) is prefixed by the sequence dash '-'
(0x2D) and space ' ' (0x20). This prevents the parser from
recognizing armor headers of the cleartext itself. The message digest
is computed using the cleartext itself, not the dash escaped form.

As with binary signatures on text documents, a cleartext signature is
calculated on the text using canonical <CR><LF> line endings. The
line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP
SIGNATURE-----' line that terminates the signed text is not
considered part of the signed text.

Also, any trailing whitespace (spaces, and tabs, 0x09) at the end of
any line is ignored when the cleartext signature is calculated.

---- 8<------- cut here ----------> tail

--
GNU GPL: "The source is with you... always"

"John A. Martin" <jam@jamux.com> writes:

> Would a gpg option to do something like ">From " before signing be in
> order to try to prevent mutilation by mail systems?

This would be option no. 87 or so :-)


Werner

On 12/16/1998 13:47 +0100, Thomas Roessler wrote:
>> On Wed, Dec 16, 1998 at 09:15:39AM +0100, Werner Koch wrote:
>>
>> >> What is the incantation to tell gpg to escape "From-space" lines
>> >> when doing ascii amour or --clearsig? It seems that the pgp
>> >> versions 2.6.3a and 5.0 that I have access to are doing "- From "
>> >> lines for ascii amour text without being told anything special.
>>
>> > Because I think a MUA should cope with these starnge things.
>>
>> I disagree. Clear signing is often used with primitive MUAs which
>> tend to know nothing about PGP and (often) don't do the escaping
>> themselves.
>>
>> Thus, having gpg escape "From " lines would be seriously useful.
>>
>> tlr

Besides, it seems to me that having an MUA escape "From " lines after
the message has been signed would seriously mess up signatures... It's
bad enough to have to deal with CR vs CR/LF vs LF... I think this really
needs to be done by the signing agent (whether it's GPG, PGP, or any other
similar package). Either that, or the signature verification utilities
have to know enough to un-escape "From "...


tw

--
+--------------------------------------+------------------------------------+
| Tim Walberg | Phone: (847) 632-3407 |
| Motorola CE/ITS | Pager: (800) SKY-TEL2 PIN:1384689 |
| 1475 W Shure Dr. IL75-2H14 | FAX: (847) 632-5769 |
| Arlington Heights, IL 60004 | |
+--------------------------------------+------------------------------------+
| http://www.cig.mot.com/~walberg | E-mail: walberg@cig.mot.com, |
| http://www.skytel.com/Paging (pager) | 1384689@skytel.com (pager) |
+--------------------------------------+------------------------------------+

On Wed, Dec 16, 1998 at 09:29:12AM -0600, Tim Walberg wrote:

>Besides, it seems to me that having an MUA escape "From " lines after
>the message has been signed would seriously mess up signatures... It's
>bad enough to have to deal with CR vs CR/LF vs LF... I think this really
>needs to be done by the signing agent (whether it's GPG, PGP, or any other
>similar package). Either that, or the signature verification utilities
>have to know enough to un-escape "From "...

Un-escaping "From " is a very risky business; different mailers
escape it in different ways, and ">From " at the start of a line
does not always mean that the line is in fact "From ". Basic rule:
don't try it. There's some fairly good material on the Netscape site
on this; I don't have the URL handy, but searching for "bsd mailbox"
on that site should do the trick.

Cheers,

Roger

--
Roger Burton West
Frontline Administrator, Demon Internet Ltd - of _course_ I don't speak
Home: roger@firedrake.demon.co.uk for them!
Web: http://www.firedrake.demon.co.uk

>>>>> "Rat" == Stainless Steel Rat
>>>>> "Re: >From woes"
>>>>> 16 Dec 1998 10:52:17 -0500

Rat> "WK" == Werner Koch <wk@isil.d.shuttle.de> writes:

WK> Because I think a MUA should cope with these starnge things.
WK> I think it is not required by RfC2440 - can someone please
WK> look it up?

Rat> RFC2440:
Rat> Though not required, it is generally a good idea to use
Rat> Quoted- Printable encoding in the first step (writing out
Rat> the data to be signed in MIME canonical format) if any of
Rat> the lines in the data begin with "From ", and encode the
Rat> "F". This will avoid an MTA inserting a ">" in front of
Rat> the line, thus invalidating the signature!

I'm confused. I do not see that text in my copy of rfc2440.

141371 Nov 10 17:28 rfc2440.txt
-------------- cut here ---->8 ---< head
Network Working Group J. Callas
Request for Comments: 2440 Network Associates
Category: Standards Track L. Donnerhacke
IN-Root-CA Individual Network e.V.
H. Finney
Network Associates
R. Thayer
EIS Corporation
November 1998


OpenPGP Message Format
---- 8<------- cut here ----------> tail

Perhaps we need to have gpg signatures on RFCs. :-)

jam

Roger Burton West <roger@firedrake.demon.co.uk> writes:

> Un-escaping "From " is a very risky business; different mailers
> escape it in different ways, and ">From " at the start of a line

It does not do any harm if we do it; the only possible problem is an
OpenPGP application which assumes only "- -" is a dash-escaped line and
not "- "; i don't think that there is such an application.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>From Werner.

Now, is that line a potential mbox delimiter that has been escaped, or is
it a line written by you and cited by me? More critically, is the '>'
character included in the signature?

I think doing > escaping of From should be avoided - this is something
done by delivering MTAs that use broken mailbox formats.

However, having gpg escape From using a dash escape when creating a
clearsigned message, in much the same way as it would escape a line
beginning with dashes doesn't seem so problematic. One doesn't expect
to be able to extract the clearsigned message body without undoing
dash-escaping, just that it is readable to humans without it.

- From

As others have noted, this probably requires other openpgp impls to
un-dash-escape such things.

The above is an example of what this would look like. Note that the
signature probably won't check, because I put the '- ' in by hand
after signing...

Some real stuff to be escaped:

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v0.4.5 (FreeBSD)
Comment: For info finger gcrypt@ftp.guug.de

mQGiBDZoFTsRBACVAl3zPO8hLp/biNBTdsv7Q9pI6nmNkTcIOe3SJU+FC1YZEIlr
4NcZCvoLi4mpMpezXOcG1dSyYWYtjQXb3k5KnMyD7Q7P8kM/WSgottKn+89X42j1
7QWi7CjH6Vf8vbY5cC5FP5ECuwxhVUJcpbnoJEwkOY++m9otUKZRxRTy5wCguJ5e
FGzoCp8u7UavJbvE5sU5tB0D/1gzP+tkHcIRQad5SsmuJkcRGi7U2L9/ocmMb9+m
hkf4JDPgfG60TkgShoWoHx7qNCNc5pluBKZykNC3zmlr+s8adSK0YWY8zHHwSTAV
b8WCyurOOZU3bxgEJmCwaw2NUJHNq2Llv8PcM1c7MBvQQCOI885PiIcT4aEhNfnf
ecLvA/9AA6bhFBlY/xQuityMfknOTIOXhKCWSezIsk7ykMB7018Ej9Mz1UXEAbc0
nlaCGKfCDXfxvkzlMUHCGv2md3Sc3YYKHD0ojO6qNaMo5mpNZNrtvmi+PZdUS1Of
7Wv/fLjxzLLkXF0tjcMPnY+aie3ImzpEQP1SEA6XK/EAEJT1QbQiR3JlZ29yeSBE
LiBUcm94ZWwgPGdkdEBpci5iYm4uY29tPohdBBMRAgAdBQI2aBU7BQkB4TOAAwsE
AwUVAwIGAQMWAgECF4AACgkQ+vesoDJhHiXlIACfbZVEMziAfKxoBRqWdR7dFESK
VsoAoKI79B0SLNFiE5LWITefk/nSpnJ+iQCVAwUQNnG+HhmKp/7quVI1AQFjQQP8
CNcvTaZGuciVYp9hOswbQ3/yAFuhr9ZO6Nfq+DkP4vZidKTISOuMVSUzf1KS9agF
1dRHcvS8Z0UQ2ytArmpJfifQOTkz6NLuHIiB6zm2M59+9IKaNnXirus2KVDP79um
KYVOqykDsxCwcMeogwdgSLofAGiUJ9xFKLhyZ09CIm65AQ0ENmgVUBAEAJy30NlR
7X7sY/JLGIlBS9hl7tGBUDpRfU1vs082D+WrLL8TxjVt7MxO1MfYJaA5oWVptZgX
dUncNiuxX3Czq52k1r8ttTmQFPVZ3dPx01GykprC7xG579VV+cQ0JFNWH80y1738
Lv8klZtSdYQA00LpuDVvtqGMtxGRMSVhC1mTAAMGA/9OHJYfYx6Obpqq4PilWVWa
Jka1Mxp5FJNg9+LdrEPOseb/LYvWVKf1nbp3BltzZfy2BOnDlnVsYyPUGOqDcTao
sAeAit61UCt0mNOgWMlIzRkMiEp3JX4X2PF7yMr4Ohq4YXzMyb2KZAkBt/hFeRGG
yQDbb3cn5JOmbGMkfE5o44hMBBgRAgAMBQI2aBVQBQkB4TOAAAoJEPr3rKAyYR4l
mMUAnjOv4nf3eHQRe7iQJXgB6q7G6cUGAKC3hBaKz9q/cQN7wCvpPOriRfnLOg==
=e4PX
- -----END PGP PUBLIC KEY BLOCK-----

Greg Troxel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.4.5 (FreeBSD)
Comment: For info finger gcrypt@ftp.guug.de

iD8DBQE2eRIB+vesoDJhHiURAhQuAKCAHcsoxCnvFf5RCi/sHmTxOSoriQCZAWvl
NA8Mq2JtycKJEyIr1wDxj2U=
=uHYQ
-----END PGP SIGNATURE-----