with reference to this thread http://forums.opensuse.org/english/get-help-here/network-internet/448586-nnt... several nntp users on the openSUSE forum have discussed an unexpected change in the line preceding the nntp signature from "--" to "- --" when using several different Linux mail/usenet clients and signing the message with OpenPGP.. while it doesn't seem to be a problem with the clients (and i highly doubt it to be an openSUSE problem) i failed in trying to google and learn if: 1. it is a bug in OpenPGP 2. if a bug, if it has been reported 3. the extra "- " just what the nntp/pgp RFC calls for 4. it is a bug in PGP 5. it is a bug in the interaction between nntp and PGP/OpenPGP 6. ??? any event, if anyone can tell me anything about where to ask or report, i'd appreciate it.. sorry if i overlooked an easily found answer, DenverD -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
DenverD wrote:
with reference to this thread
http://forums.opensuse.org/english/get-help-here/network-internet/448586-nnt...
several nntp users on the openSUSE forum have discussed an unexpected change in the line preceding the nntp signature from "--" to "- --" when using several different Linux mail/usenet clients and signing the message with OpenPGP..
while it doesn't seem to be a problem with the clients (and i highly doubt it to be an openSUSE problem) i failed in trying to google and learn if:
1. it is a bug in OpenPGP 2. if a bug, if it has been reported 3. the extra "- " just what the nntp/pgp RFC calls for
I can't imagine openpgp nor gnupg needing or wanting to change the content of the message being signed. -- Per Jessen, Zürich (5.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* DenverD <DenverD@texan.dk> [10-26-10 05:06]:
with reference to this thread http://forums.opensuse.org/english/get-help-here/network-internet/448586-nnt...
several nntp users on the openSUSE forum have discussed an unexpected change in the line preceding the nntp signature from "--" to "- --" when using several different Linux mail/usenet clients and signing the message with OpenPGP..
I cannot answer whether it is an openssh bug but it has been noticed and appears *only* with users of crypto signing. btw, it is changing from "-- " (dash, dash, space) rather than "--". -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrick Shanahan wrote:
* DenverD <DenverD@texan.dk> [10-26-10 05:06]:
with reference to this thread http://forums.opensuse.org/english/get-help-here/network-internet/448586-nnt...
several nntp users on the openSUSE forum have discussed an unexpected change in the line preceding the nntp signature from "--" to "- --" when using several different Linux mail/usenet clients and signing the message with OpenPGP..
I cannot answer whether it is an openssh bug but it has been noticed and appears *only* with users of crypto signing. btw, it is changing from "-- " (dash, dash, space) rather than "--".
absolutely....of course you are correct it is from "-- " to "- --" dropping (or moving) the original trailing space and adding a new leading dash space.. DenverD -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* DenverD <DenverD@texan.dk> [10-26-10 11:21]:
Patrick Shanahan wrote:
I cannot answer whether it is an openssh bug but it has been noticed and appears *only* with users of crypto signing. btw, it is changing from "-- " (dash, dash, space) rather than "--".
absolutely....of course you are correct it is from "-- " to "- --" dropping (or moving) the original trailing space and adding a new leading dash space..
and appears to *only* affect "in-line" signing, not attachments. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrick Shanahan wrote:
* DenverD <DenverD@texan.dk> [10-26-10 11:21]:
Patrick Shanahan wrote:
I cannot answer whether it is an openssh bug but it has been noticed and appears *only* with users of crypto signing. btw, it is changing from "-- " (dash, dash, space) rather than "--".
absolutely....of course you are correct it is from "-- " to "- --" dropping (or moving) the original trailing space and adding a new leading dash space..
and appears to *only* affect "in-line" signing, not attachments.
Is the signature still valid? -- Per Jessen, Zürich (6.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Per Jessen <per@opensuse.org> [10-26-10 12:43]:
Patrick Shanahan wrote:
and appears to *only* affect "in-line" signing, not attachments.
Is the signature still valid?
I believe so. I no longer bother with crypto signing since six or seven years ago so this is based on old memory. Carlos ER used to include inline signing when he used pine comes to mind. I cannot see that signing verification is of much use except with contract and/or financial dealings. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Patrick Shanahan wrote:
* Per Jessen <per@opensuse.org> [10-26-10 12:43]:
Patrick Shanahan wrote:
and appears to *only* affect "in-line" signing, not attachments.
Is the signature still valid?
I believe so.
DenverD says it appears as "signed", but can anyone confirm that it also validates? If it's a valid signature it means the email was altered before it was signed. If it's not, it was altered afterwards. -- Per Jessen, Zürich (4.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2010-10-26 at 13:07 -0400, Patrick Shanahan wrote:
* Per Jessen <> [10-26-10 12:43]:
Patrick Shanahan wrote:
and appears to *only* affect "in-line" signing, not attachments.
Is the signature still valid?
I believe so.
It is part of the signing process to convert dash-dash-space to dash-space-dash-dash-space (on a line and alone). I know I have read an explanation of why this is done, but I don't remember where.
I no longer bother with crypto signing since six or seven years ago so this is based on old memory. Carlos ER used to include inline signing when he used pine comes to mind.
I do >:-)
I cannot see that signing verification is of much use except with contract and/or financial dealings.
And PGP signing is not used for any of those: they want a system with a certification authority (and one they trust). PGP is a kind of renegade thing (that's not the word I want, but it will do). Me, I use one because somebody was faking emails in one of the lists (years ago now), and it is no use to turn to signing after the fact. - -- Cheers, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAkzHJ5sACgkQtTMYHG2NR9V1/wCeOa52Y7ovpbimdE0SAb2dEi54 cQ8An1IegJqM7JwFpDIbPOv1wGl15y5Q =OoL2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
It is part of the signing process to convert dash-dash-space to dash-space-dash-dash-space (on a line and alone).
I know I have read an explanation of why this is done, but I don't remember where.
It sounds very dodgy for the contents to be altered by the signing program.
I cannot see that signing verification is of much use except with contract and/or financial dealings.
And PGP signing is not used for any of those: they want a system with a certification authority (and one they trust). PGP is a kind of renegade thing (that's not the word I want, but it will do).
Yes and no - it's all about trust, and in the end you've got to trust someone. There's nothing "renegade" about e.g. gnupg, it's development was even funded by two Federal German Ministries. http://de.wikipedia.org/wiki/GNU_Privacy_Guard -- Per Jessen, Zürich (4.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2010-10-26 at 21:21 +0200, Per Jessen wrote:
Carlos E. R. wrote:
It is part of the signing process to convert dash-dash-space to dash-space-dash-dash-space (on a line and alone).
I know I have read an explanation of why this is done, but I don't remember where.
It sounds very dodgy for the contents to be altered by the signing program.
It is part of the standard. Certain letter combinations that are used for other things have to be defanged (is that the word?). The begin line-dash-dash means something else for pgg, so the signature can not start that way or it breaks. This change is intentional and documented, but I can't remember where.
I cannot see that signing verification is of much use except with contract and/or financial dealings.
And PGP signing is not used for any of those: they want a system with a certification authority (and one they trust). PGP is a kind of renegade thing (that's not the word I want, but it will do).
Yes and no - it's all about trust, and in the end you've got to trust someone. There's nothing "renegade" about e.g. gnupg, it's development was even funded by two Federal German Ministries.
PGP requires that you exchange keys in person, face to face, with the person you are going to communicate, so that you know that the keys are really from that person. If you get the key from a repository but nobody certifies to you that those keys really belong to whom they say, they are useless as certification of identity. This is why they make "key signing parties", like the one the held recently at the opensuse conference. My email is signed, but how do you know that I'm named that way, and that I'm not possing as somebody else? The only thing I certify with that signature is that all mails signed with the same key come from the same person. Not that I'm really Carlos. The keys that are used for identification rely on a central organization that verifies who you are (in person) and then they give you a key, or you make one and they sign it. - -- Cheers, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAkzHW0sACgkQtTMYHG2NR9UfyQCcDLhZJgh0Cr+eOYqaWoMmDJ9h oa0AmwZN8IZgQ7OMxwufpV5KjrPm4Urg =3/AG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
On Tuesday, 2010-10-26 at 21:21 +0200, Per Jessen wrote:
Carlos E. R. wrote:
It is part of the signing process to convert dash-dash-space to dash-space-dash-dash-space (on a line and alone).
I know I have read an explanation of why this is done, but I don't remember where.
It sounds very dodgy for the contents to be altered by the signing program.
It is part of the standard. Certain letter combinations that are used for other things have to be defanged (is that the word?). The begin line-dash-dash means something else for pgg, so the signature can not start that way or it breaks. This change is intentional and documented, but I can't remember where.
Interesting, I didn't know. Does that mean that gpg-aware email agents should be decoding this too?
I cannot see that signing verification is of much use except with contract and/or financial dealings.
And PGP signing is not used for any of those: they want a system with a certification authority (and one they trust). PGP is a kind of renegade thing (that's not the word I want, but it will do).
Yes and no - it's all about trust, and in the end you've got to trust someone. There's nothing "renegade" about e.g. gnupg, it's development was even funded by two Federal German Ministries.
PGP requires that you exchange keys in person, face to face, with the person you are going to communicate, so that you know that the keys are really from that person.
I'm sure I've heard of a scheme in Germany whereby you were able to use Deutsche Post as an intermediary - Postident I think it is. I don't know if it still works.
If you get the key from a repository but nobody certifies to you that those keys really belong to whom they say, they are useless as certification of identity. This is why they make "key signing parties", like the one the held recently at the opensuse conference.
Sure - c't has been running their "Crypto-Kampagne" since 1997.
My email is signed, but how do you know that I'm named that way, and that I'm not possing as somebody else? The only thing I certify with that signature is that all mails signed with the same key come from the same person. Not that I'm really Carlos.
Well, it's not about your _identity_ as such, it's about authentication of the email. -- Per Jessen, Zürich (8.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
It is part of the standard. Certain letter combinations that are used for other things have to be defanged (is that the word?). The begin line-dash-dash means something else for pgg, so the signature can not start that way or it breaks. This change is intentional and documented, but I can't remember where.
Interesting, I didn't know. Does that mean that gpg-aware email agents should be decoding this too?
I can answer that one myself - yes it does, and e.g. knode does such a decoding too. I guess that also answers DenverDs question: 6) bug in the email client -- Per Jessen, Zürich (8.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Per Jessen wrote:
It is part of the standard. Certain letter combinations that are used for other things have to be defanged (is that the word?). The begin line-dash-dash means something else for pgg, so the signature can not start that way or it breaks. This change is intentional and documented, but I can't remember where. Interesting, I didn't know. Does that mean that gpg-aware email agents should be decoding this too?
I can answer that one myself - yes it does, and e.g. knode does such a decoding too. I guess that also answers DenverDs question:
6) bug in the email client
seems (per Carlos) there is no bug in the question, only ignorance of the way it is.. DenverD -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 27 Oct 2010 16:42:22 +0200, DenverD wrote:
seems (per Carlos) there is no bug in the question, only ignorance of the way it is..
Seems to me that if a newsreader understands "-- " as the marker for a sig block and that were inside a GPG/PGP signed message, the newsreader would ignore the actual signature at the end of the message, so changing it is necessary for the signature to be interpreted by the software so it can be validated. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Carlos E. R. wrote:
On Tuesday, 2010-10-26 at 21:21 +0200, Per Jessen wrote:
Carlos E. R. wrote:
It is part of the signing process to convert dash-dash-space to dash-space-dash-dash-space (on a line and alone).
I know I have read an explanation of why this is done, but I don't remember where. It sounds very dodgy for the contents to be altered by the signing program. It is part of the standard. Certain letter combinations that are used for other things have to be defanged (is that the word?). The begin line-dash-dash means something else for pgg, so the signature can not start that way or it breaks. This change is intentional and documented, but I can't remember where.
Interesting, I didn't know. Does that mean that gpg-aware email agents should be decoding this too?
yes, when i look at a pgp-signed message in thunderbird (with the Enigmail addon) i do not see "- --" instead, i see "-- " (well, i don't see the trailing space, of course..) DenverD -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2010-10-27 at 16:19 +0200, Per Jessen wrote:
Carlos E. R. wrote:
It is part of the standard. Certain letter combinations that are used for other things have to be defanged (is that the word?). The begin line-dash-dash means something else for pgg, so the signature can not start that way or it breaks. This change is intentional and documented, but I can't remember where.
Interesting, I didn't know. Does that mean that gpg-aware email agents should be decoding this too?
Yep. I found the reference to this, by Patrick 3 years ago, who got it from the mutt mail list: +++··········· <http://lists.opensuse.org/opensuse/2007-06/msg00841.html>
Why is the <dash><dash><space> signature indicator not display properly in inline gpg signed posts, ie: <dash><space><dash><dash><space>.
This is so that no software deletes the mail's signature including the gpg signature even by accident. I don't know if it's the official reason but at least it makes sense... :)
It's required by RFC2440 (the OpenPGP standard). See section 7.1 therein. ············++-
And here it is an official reference: <http://www.ietf.org/rfc/rfc2440.txt> +++··········· RFC 2440 OpenPGP Message Format November 1998 7.1. Dash-Escaped Text The cleartext content of the message must also be dash-escaped. Dash escaped cleartext is the ordinary cleartext where every line starting with a dash '-' (0x2D) is prefixed by the sequence dash '-' (0x2D) and space ' ' (0x20). This prevents the parser from recognizing armor headers of the cleartext itself. The message digest is computed using the cleartext itself, not the dash escaped form. As with binary signatures on text documents, a cleartext signature is calculated on the text using canonical <CR><LF> line endings. The line ending (i.e. the <CR><LF>) before the '-----BEGIN PGP SIGNATURE-----' line that terminates the signed text is not considered part of the signed text. Also, any trailing whitespace (spaces, and tabs, 0x09) at the end of any line is ignored when the cleartext signature is calculated. ············++-
PGP requires that you exchange keys in person, face to face, with the person you are going to communicate, so that you know that the keys are really from that person.
I'm sure I've heard of a scheme in Germany whereby you were able to use Deutsche Post as an intermediary - Postident I think it is. I don't know if it still works.
That is interesting. I have not seen such meetings here, in Spain. What we have is, that the same entity that prints paper money (the mint?) emits pkcs certificates. or signs them. We go to a web page, do something, we print the page, then go in person to a government office where an official sees the page, our identification, our face, and then prints another page with which we can obtain the electronic certificate, which thus identifies us for things that need official identification, like paying taxes. - -- Cheers, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAkzIUqIACgkQtTMYHG2NR9VO8wCeJDdDTd73rXa58/Ji1oHeSpAm EbwAnjH344kX9U4cqbtrrQhAv5BZUAlC =uo4Z -----END PGP SIGNATURE-----
Per Jessen wrote:
Patrick Shanahan wrote:
* DenverD <DenverD@texan.dk> [10-26-10 11:21]:
Patrick Shanahan wrote:
I cannot answer whether it is an openssh bug but it has been noticed and appears *only* with users of crypto signing. btw, it is changing from "-- " (dash, dash, space) rather than "--". absolutely....of course you are correct it is from "-- " to "- --" dropping (or moving) the original trailing space and adding a new leading dash space..
and appears to *only* affect "in-line" signing, not attachments.
Is the signature still valid?
yes...well, it appears to be...it is displayed in my client as signed by [whoever] with not a hint of an error anywhere.. DenverD -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Carlos E. R. -
DenverD -
Jim Henderson -
Patrick Shanahan -
Per Jessen