Inline PGP in E-mail is bad, Mm'kay?

This was written after one too many tiring discussion when someone wanted to support inline PGP in e-mail. The title was inspired by South Park. This is a live document, and your feedback will improve it. Contributions will be acknowledged.

This document assume some familiarity with e-mail message formats, MIME and PGP.

This document is based on my experience with actually implementing and supporting inline PGP in the real world, in the Gnus message user agent.

What is "inline PGP"?

Inline PGP is sending the OpenPGP blobs directly inside a e-mail message. Example:

From: Simon Josefsson <jas@extundo.com>
To: Simon Josefsson <jas@extundo.com>
Subject: Don't do this, Mm'kay?
Date: Thu, 09 Dec 2004 02:49:22 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is signed text.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.93-cvs (GNU/Linux)

iQC1AwUBQbevJO2iHpS1ZXFvAQLa/AT+Koj9YgqqYr1y5G/BlaEhQIqZlcXKqRXb
+rE3AIz5TCI3mYpSpZ9mwEwrdWByT6duEqjxErVoHvBYZhLgX7BahqkiFMeLwXPD
MR0fE/G9Gg8oANj3UHe64G3JqoQbfa/a8k5luYe2b7px2yLtaaTXJZpZqK+x/qIa
9fW0rsc1q1XXPDR1Z+CHQ/JqYzoIQZvzhq3/27Vpy8VxE03RAhQc6w==
=uI1y
-----END PGP SIGNATURE-----
    

Why is it bad?

The problems include:

• Attachments doesn't work.
• Non-ASCII doesn't work reliably.
• Format=flowed (RFC 2646/3676) doesn't work reliably.
• UseNet '-- ' signatures trigger space stuffing, which break compatibility with RFC 1991.
• Sending 'diff' patches via inline PGP signed e-mail trigger space stuffing, which break cut'n'paste into 'patch'.

So when can I use it?

Some people don't regard the above as problems. Some people just don't care. Reluctantly, I have to admit that sending inline PGP can work reliable if you follow the following rules:

• Use only printable ASCII.
• Avoid starting lines with 'From ' or '-', to avoid issues caused by over-eager From-escaping, or space stuffing.
• Don't use format=flowed.
• Don't use attachments.
• Don't send 'diff' patches.

What should I be doing?

Use PGP/MIME, aka RFC 3156. For example:

From: Simon Josefsson <jas@extundo.com>
To: Simon Josefsson <jas@extundo.com>
Subject: Do this, Mm'kay?
Date: Thu, 09 Dec 2004 02:58:58 +0100
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"

--=-=-=

This is signed text.
--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.93-cvs (GNU/Linux)

iQC1AwUAQbexYu2iHpS1ZXFvAQK/IAT/Ue2hYtwW9oPTlKf3cI25LdzyxjU2x2/j
W8KxE56fENCGUvztBG8f/DQUW+ovLFDarao4Oc52TiMuxvFC5LrHQlsfVpuYavQh
fIlekzDTG84FHXGV9ETy2DOURDQKPFi1aoiWb8gktluheJ2SeF5CRcGaWazLWFdV
eLWdTlRZ2UP3tAY0VVTMPa51Pc0IYBABmdKEgPVmKLQVBmTzcIX39g==
=kmls
-----END PGP SIGNATURE-----
--=-=-=--