OpenPGP headers

Atom 'Smasher' atom at suspicious.org
Mon Nov 15 17:50:00 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, 15 Nov 2004, Moritz Schulte wrote:

> Could you please explain the rationale behind this header field slightly 
> more verbose than you did in this paper?  I am not convinced that is is 
> necessary.
>
> Reason: keys should be on keyservers (keyservers are a standard) and all 
> those information, which are to be encoded with this header field can be 
> derived from the key itself.  In other words: the only necessary 
> information is something like a key ID (in case the mail is not signed).
>
> What am I missing?
===========================

let's say you get an email from "bob". you go to the keyservers and find 
several keys that claim to belong to bob, but you're not sure which one(s) 
are currently in use, or even which one ~really~ belongs to bob (none of 
the keys are signed). this header ads a _convenience_ (that shouldn't be 
considered secure!) to determine what key bob is using.

i've also run into cases where i find 2-3 (or more) keys that all have 
several signatures, but i have no idea which one i'm supposed to use. more 
often than not, the private key was lost on several of the old keys.

if this header is adopted as a standard, it could also allow MUAs to 
import a key when replying (but it must be understood that it's a 
convenience that may not be secure).

let's not fool ourselves, this is NOT secure... but as a convenience it's 
rather cool. once a key is retrieved, the security burden (as always) 
rests with the person who decides to import and use the key.


- -- 
         ...atom

  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------

 	"According to Business Week, the average CEO [Chief
 	 Executive Officer] made 42 times the average blue-collar
 	 worker's pay in 1980, 85 times in 1990 and a staggering
 	 531 times in 2000."
 		-- AFL-CIO 'Executive Paywatch'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJBmN49AAoJEAx/d+cTpVci03wIALbWPclxf7XmsBDl2Mg0b/Ox
v6ygcQAh/9HkAYHQ+anS9gIEc3MAiYsomnibw5uFP6Mou7hOHznikMT9p8HiXF4p
OZTaQjceXt3KPnPjBepvwraJSqtlhR2lBJq2dSuiUz6v1I3rJjpKKT9kZnGOMDNl
5soxMK9LroqIrh8TjrLlzcN6AFTHwNp1EIWo7pDB9ecOGUoFzcawhmaKoZTXZnmh
wRFiiV0hWR/ow5efSNtAwI2nS/oivOzx3tbNelR2jC0POzSZmae+Vc+TLixi6Gcg
sfs/CIPeZmwJSHiKgWovOU18abx8KgME1NaUKJRI2lgmIS1Ftg7NPUeCJYZfazM=
=pFPQ
-----END PGP SIGNATURE-----



More information about the Gnupg-devel mailing list