[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multiple OpenPGP messages per file: legal or not?



On Mon, Oct 08, 2007 at 10:34:25AM +0100, Rachel Willmer wrote:
> 
> On 08/10/2007, David Shaw <dshaw@xxxxxxxxxxxxxxx> wrote:
> >
> > On Sun, Oct 07, 2007 at 11:41:25PM +0100, Rachel Willmer wrote:
> > >
> > > If (d) "out of scope", which spec does define file formats?
> > >
> > > If the answer is "there isn't one which does", how do we plan to do
> > > interoperability between applications which use the OpenPGP packet
> > > format? e.g. to transfer Encrypted Messages.
> >
> > I didn't quite mean "out of scope" in that sense.  I meant "the spec
> > doesn't mandate it or forbid it, so it's up to the implemention to
> > decide."  As you saw, GPG doesn't do it.
> 
> It shouldn't be up to the implementation to decide (IMHO). If the goal
> of the WG is "to provide IETF standards for the algorithms and formats
> of PGP processed objects", then surely some standard file formats
> should be defined [*] : e.g. keyring, encrypted file, signed file,
> etc.

I think the spec does define this.  It defines all of those items that
you mention in the grammar in section 11.3.  Any OpenPGP-compliant
application should be able to write such a message in such a way that
any other OpenPGP-complaint application can read it, or one or both of
the implementations aren't OpenPGP compliant.

What the spec doesn't define is whether an application must process an
"OpenPGP Message, OpenPGP Message" -- two messages concatenated
together.  There is an assumption in the spec that a single stream
contains a single message, and in fact there are some legal ways to
encode data that actually require a single stream to contain a single
message.

This doesn't mean that an application can't read concatenated messages
(when possible) if it chooses to, of course, though it should be
careful about generating them, as there is no guarantee that the
recipient can read them.

David