OpenPGP headers

Atom 'Smasher' atom at suspicious.org
Thu Aug 12 04:05:34 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, 11 Aug 2004, Simon Josefsson wrote:
> Atom 'Smasher' <atom at suspicious.org> writes:

> I believe a BNF schema describing the structure is needed, to match
> how headers are described in 2822.  How about the grammar below?
> Review appreciated.
==================

very nice... i can ~almost~ read that BNF notation, but i wasn't going to 
attempt writing anything in it.


> I intentionally made 0x optional,
====================

what do the gurus think? dave? werner?

i think a 0x prefix "SHOULD" be used. not mandatory, but if there isn't a 
good reason for skipping it, then use it.


> and permitted a unlabeled Key ID, fingerprint or URL.  The text will 
> have to be synced with that change. If people think it is a good idea, 
> of course.
=====================

my concern here is the burden that it might place on parsing engines 
versus the improvement in human readability... sure, it's not a ridiculous 
burden, but i think that any person inclined to read the header won't be 
confused by it. at the very least, i then i think a key ID MUST have a 
"0x" prefix, *if* it's unlabeled.


> I also added a 'created' value pair.  I'm not convinced it make sense,
> just like I'm not sure alg/size make sense.  'Created' contain unix
> time below, matching the V3/V4 key packet 'created' value.  Perhaps
> 'date-time' could be used, instead of unix time, although the relative
> free form of that terminal, together with time zones, might make it
> overly complex.  Human readable dates can always be put into comments,
> like:
>
> OpenPGP: id=0xB565716F; created=471147111 (10 Aug 2004 22:34:51 +0000)
>
> I think that would be more reliable.
===============

well, they're all optional parameters, so i don't think there's anything 
wrong with including it... as long as someone out there finds it useful. 
there ~are~ people still using v3 keys.

i do like that it's in unix time, with a human readable date as a comment.


> There should probably be text pointing out that alg/size/created is
> only useful for V3 keys, as per Werner's recommendation.
================

since all parameters are optional, i don't think it's necessary to mention 
that... people can use whatever parameters they want, guided only by their 
paranoia.

while i acknowledge that werner is more of a pgp guru than i am, i just 
want to point out that before the deadbeef attack, people thought that a 
fingerprint was the only token needed in verifying a v3 key. who knows 
what attacks the future will reveal? who knows how we'll defend against 
those attacks?

thus, my paranoia tells me to verify key size and algo even on v4 keys. 
not that it's feasible to create a small v4 key that matches my 
fingerprint, but i suspect it's *much* harder to create a 4096 v4 key that 
matches my fingerprint.


> I don't know how to easily permit:
>
> OpenPGP: 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
>
> Instead of just:
>
> OpenPGP: 0424D4EE81A0E3D119C6F835EDA21E94B565716F
>
> I think the first should be permitted, for readability.  If some knows
> of a neat ABNF trick to get the first one, that would be good.  Of
> course, ugly ABNF is simple to create for it..  This need to be fixed.
===================

can that be done with double quotes? even if it can be done:
   1) it places an additional burden on the parser
   2) if the header is folded then human readability is not gained

in any case, one can do this:
 	OpenPGP: url=http://abc.xyz
 		(1234 5678 90AB CDEF 0123  4567 890A BCDE F012 3456)

and include a fingerprint with spaces as a comment. folding could make 
that very ugly.

is it valid syntax to place a comment before a parameter? or use 1 or more 
comments with zero parameters? if the first thing in the header is a 
comment, then folding is less likely to affect it.


> If you would accept me as co-editor, I could convert your draft into
> xml2rfc format, and add the ABNF below.  The format is pretty self
> explanatory, if you know HTML or general XML.  See RFC 2629 for the
> full documentation.
===================

hehe... you're hired!



         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"Not a single war has been fought by vegetarians."
 		-- Akbarali Jetha
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJBGtB0AAoJEAx/d+cTpVcigKwH/iLki14MeTxDnyyDG2SL1EkR
fe5NEh4EiNtjpbIp9MNHY6yooM3Ym708HYE0dVxggUVVlr1H+QZyY4NwV9MmA9o3
lPfZ+1d2dzcHCvUmiVHmEMOx2RyJQzaQIikC4xERnhgUNEAzNxModCteDqS3xvQx
OHFBHTc+Qb4OtpcoRfTaXM16bLm4GEwRkuYqK53txulKmltPNoXlHH7LxFm66AKh
Yfhes7t4VjDcpKfiqiULbDaaoKOUzeZteUZ44arvV9IQQ7lJ3G/RPMWE3bgURBsQ
B4HgearjhBn8bG07nzO7bVqg3WqDYNbLobUuEFAAWG57XEEX46BLUl5QB1+0IPQ=
=gxO0
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list