signing emails

Werner Koch
Wed Dec 11 18:39:02 2002

On Wed, 11 Dec 2002 16:20:14 +0000, Graham  said:

> On Wednesday 11 Dec 2002 3:20 pm, Anthony E. Greene wrote:
>> PGP/MIME is the official standard.
> [snipped]

> Who says?  Where is this specifically stated?


  7. Cleartext signature framework

   It is desirable to sign a textual octet stream without ASCII armoring
   the stream itself, so the signed text is still readable without
   special software. In order to bind a signature to such a cleartext,
   this framework is used.  (Note that RFC 2015 defines another way to
   clear sign messages for environments that support MIME.)

rfc3156 (successor of 2015):

  1.  Introduction

   Work on integrating PGP (Pretty Good Privacy) with MIME [3]
   (including the since withdrawn "application/pgp" content type) prior
   to RFC 2015 suffered from a number of problems, the most significant
   of which is the inability to recover signed message bodies without
   parsing data structures specific to PGP.  RFC 2015 makes use of the
   elegant solution proposed in RFC 1847, which defines security
   multipart formats for MIME.  The security multiparts clearly separate
   the signed message body from the signature, and have a number of
   other desirable properties.  This document revises RFC 2015 to adopt
   the integration of PGP and MIME to the needs which emerged during the
   work on the OpenPGP specification.

Both are on the standards track and in PROPOSED STANADARD status.  As
soon as you use non-asciii characters, you want to use PGP/MIME
because it allows in a clean way to define the used character set.
(MIME, rfc2045 is already in the DRAFT STANDARD status).  Firthermore,
signing a message with attachment in a clean way is also only possible
using PGP/MIME.