a small feature request

David Shaw dshaw at jabberwocky.com
Thu Feb 24 17:42:32 CET 2005


On Thu, Feb 24, 2005 at 04:05:54PM +0100, Janusz A. Urbanowicz wrote:

> > > Also, announcing GPG version would be useful for tracking of versions 
> > > proliferation.
> > 
> > I've always resisted this, using the logic that if a server operator
> > doesn't actually *need* to know the GnuPG version, why give it to
> > them?  It's not a security-through-obscurity thing as the keyserver
> > code needs to be safe no matter what, but more of a need-to-know
> > thing.  None of their business - if I wanted to have my version
> > tracked, I'd announce the version myself.
> 
> If so, why announce PGP/GPG version in Version: field off ASCII armor, as it
> is done by default? 

There is a switch to turn it off, which some people do.

> Or, to further extend the logic, why include key IDs in encrypted mesages by
> default?

Because it's part of the protocol, and decryption doesn't work
otherwise :)

(yes, I know - speculative key IDs.  It's not a required part of the
protocol, and not all programs support them (i.e. PGP)).

> As I not built gpg with libcurl yet, it is only a guess, but libcurl
> sometimes passes its own User-Agent string, and it is possible that libcurl
> http helper does so.

Blank by default.

> >From my POV sending User-Agent is a part of being good citizen of the net.
> I do not see a significant security gain in revealing the version in some
> channels and hiding it in the other. Of course, there is possibility of
> automated attacks against specific gpg versions done using this but it seems
> that probability is minimal. Maybe the best way is that it would be a option
> turned on by default.

I'm amused that it's always the server operators that want this so
they can see who is using their server.  It's never the users who ask
for this ;)

Understand that I'm not speaking about you specifically here, but this
is not "please make a change to me so I will give out more
information", but instead a "please make a change to other people so
they will give me more information".

> > This is fine for HKP servers, none of which care if the User-Agent is
> > there, but I've recently heard reports of some free web services that
> > don't work with a blank User-Agent field.  That would be a problem for
> > keyserver URLs pointing to a file on those servers.  This violates
> > HTTP, of course, but good luck getting them to change.
> 
> I'm not saying it is a necessary feature. But as you say, lack of it could
> cause problems in some scenarios.

I may be forced to make the change for this reason, though I still
think it's not necessary, or even a good idea.

I'll probably extend --emit-version / --no-emit-version to apply to
keyservers as well as the version string in armored messages.  Not in
1.4.1, though.  There are many changes in 1.4.1 already.

David



More information about the Gnupg-devel mailing list