[PATCH] avoid publishing the GnuPG version by default

ilf ilf at zeromail.org
Fri Aug 5 10:53:57 CEST 2016

Daniel Kahn Gillmor:
> The version of GnuPG in use is not particularly helpful. 
> It's probably better to take the more parsimonious approach to 
> metadata production by default.

Werner, Daniel and I talked about this at the OpenPGP-session during 
IETF 96. [1] Thanks Daniel, for following up on this!

I fully support this proposal.

Since "Pervasive Monitoring Is an Attack" [2], let's minimize metadata 
as much as possible, especially if it's unencrypted *and* not 
cryptographically verifiable.

The riseup.net "OpenPGP Best Practices" [3] refer to a gpg.conf [4] 
which already implements "no-emit-version". I and many other people have 
been using this with many implementations on many plattforms for a long 
time, without any problems. So I see no technical reason against the 

Even RFC 4880 lists no pressing reason for including this by default:

> The Armor Headers are pairs of strings that can give the user or the 
> receiving OpenPGP implementation some information about how to decode 
> or use the message. [5]

I can't see how "Version: GnuPG v2" tells me or an OpenPGP 
implementation "how to decode or use the message".

Let's just drop it.

1. https://datatracker.ietf.org/doc/minutes-96-openpgp/
2. https://tools.ietf.org/html/rfc7258
3. https://riseup.net/en/security/message-security/openpgp/best-practices
4. https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf
5. https://tools.ietf.org/html/rfc4880#page-55


Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
		-- Eine Initiative des Bundesamtes für Tastaturbenutzung
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: </pipermail/attachments/20160805/de2d23b6/attachment.sig>

More information about the Gnupg-devel mailing list