a small feature request

Janusz A. Urbanowicz alex at bofh.net.pl
Thu Feb 24 16:05:54 CET 2005 

On Thu, Feb 24, 2005 at 09:24:52AM -0500, David Shaw wrote:
> On Thu, Feb 24, 2005 at 12:17:06PM +0100, Janusz A. Urbanowicz wrote:
> > It would be useful to have GPG http keyserver helper to announce itself in
> > HTTP transaction using "User-Agent" field in request. Now this field is not
> > sent (as it is not obligatory). This results in the following being recorded
> > on the server side:
> > 
> > host81-134-162-60.in-addr.btopenworld.com - - [24/Feb/2005:04:30:06 +0100]
> >   "GET /crypto/0x46399138.asc HTTP/1.0" 200 23855 "-" "-" 7 quiston.tpsa.com
> >   "-" "-"
> >
> > Also, announcing GPG version would be useful for tracking of versions 
> > proliferation.
> 
> I've always resisted this, using the logic that if a server operator
> doesn't actually *need* to know the GnuPG version, why give it to
> them?  It's not a security-through-obscurity thing as the keyserver
> code needs to be safe no matter what, but more of a need-to-know
> thing.  None of their business - if I wanted to have my version
> tracked, I'd announce the version myself.

If so, why announce PGP/GPG version in Version: field off ASCII armor, as it
is done by default? 

Or, to further extend the logic, why include key IDs in encrypted mesages by
default?

As I not built gpg with libcurl yet, it is only a guess, but libcurl
sometimes passes its own User-Agent string, and it is possible that libcurl
http helper does so.

From my POV sending User-Agent is a part of being good citizen of the net.
I do not see a significant security gain in revealing the version in some
channels and hiding it in the other. Of course, there is possibility of
automated attacks against specific gpg versions done using this but it seems
that probability is minimal. Maybe the best way is that it would be a option
turned on by default.


> This is fine for HKP servers, none of which care if the User-Agent is
> there, but I've recently heard reports of some free web services that
> don't work with a blank User-Agent field.  That would be a problem for
> keyserver URLs pointing to a file on those servers.  This violates
> HTTP, of course, but good luck getting them to change.

I'm not saying it is a necessary feature. But as you say, lack of it could
cause problems in some scenarios.

Alex
-- 
mors ab alto 
0x46399138

More information about the Gnupg-devel mailing list