On Fri, 27 Apr 2001, The IESG wrote: > The IESG has received a request from the An Open Specification for > Pretty Good Privacy Working Group to consider MIME Security with > OpenPGP <draft-ietf-openpgp-mime-06.txt> as a Proposed Standard. draft-ietf-openpgp-mime-06.txt assumes that the content-transfer-encoding of a body part in a multipart MIME message will remain unchanged end to end. That assumption is not valid. Some currently deployed mailers (including sendmail) will convert body parts to or from 8bit content-transfer-encoding. It's quite possible that a body part could originate in quoted-printable, be signed like that, and be converted to 8bit before delivery. In 1998, many messages to the IETF list ended up with headers like this, showing conversion to 8bit during delivery of the incoming message to the list exploder, and conversion from 8bit during delivery of the outgoing messages to the subscribers: X-MIME-Autoconverted: from Quoted-printable to 8bit by ietf.org id LAA20175 X-MIME-Autoconverted: from 8bit to quoted-printable by ietf.org id LAB20435 Similar behaviour is visible today in other mailing lists, but apparently not the ietf list. I believe that it's a mistake for OpenPGP to sign the transfer-encoded form of any message. The signature should be over the canonical form of the message, and signature verification should be insensitive to changes in content-transfer-encoding. --apb (Alan Barrett)
