OpenPGP headers

Atom 'Smasher' atom at
Mon Nov 15 17:50:00 CET 2004

Hash: SHA256

On Mon, 15 Nov 2004, Moritz Schulte wrote:

> Could you please explain the rationale behind this header field slightly 
> more verbose than you did in this paper?  I am not convinced that is is 
> necessary.
> Reason: keys should be on keyservers (keyservers are a standard) and all 
> those information, which are to be encoded with this header field can be 
> derived from the key itself.  In other words: the only necessary 
> information is something like a key ID (in case the mail is not signed).
> What am I missing?

let's say you get an email from "bob". you go to the keyservers and find 
several keys that claim to belong to bob, but you're not sure which one(s) 
are currently in use, or even which one ~really~ belongs to bob (none of 
the keys are signed). this header ads a _convenience_ (that shouldn't be 
considered secure!) to determine what key bob is using.

i've also run into cases where i find 2-3 (or more) keys that all have 
several signatures, but i have no idea which one i'm supposed to use. more 
often than not, the private key was lost on several of the old keys.

if this header is adopted as a standard, it could also allow MUAs to 
import a key when replying (but it must be understood that it's a 
convenience that may not be secure).

let's not fool ourselves, this is NOT secure... but as a convenience it's 
rather cool. once a key is retrieved, the security burden (as always) 
rests with the person who decides to import and use the key.

- -- 

  PGP key -
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

 	"According to Business Week, the average CEO [Chief
 	 Executive Officer] made 42 times the average blue-collar
 	 worker's pay in 1980, 85 times in 1990 and a staggering
 	 531 times in 2000."
 		-- AFL-CIO 'Executive Paywatch'

Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?


More information about the Gnupg-devel mailing list