[PATCH] avoid publishing the GnuPG version by default
ilf
ilf at zeromail.org
Fri Aug 5 10:53:57 CEST 2016
Daniel Kahn Gillmor:
> The version of GnuPG in use is not particularly helpful.
> It's probably better to take the more parsimonious approach to
> metadata production by default.
Werner, Daniel and I talked about this at the OpenPGP-session during
IETF 96. [1] Thanks Daniel, for following up on this!
I fully support this proposal.
Since "Pervasive Monitoring Is an Attack" [2], let's minimize metadata
as much as possible, especially if it's unencrypted *and* not
cryptographically verifiable.
The riseup.net "OpenPGP Best Practices" [3] refer to a gpg.conf [4]
which already implements "no-emit-version". I and many other people have
been using this with many implementations on many plattforms for a long
time, without any problems. So I see no technical reason against the
proposal.
Even RFC 4880 lists no pressing reason for including this by default:
> The Armor Headers are pairs of strings that can give the user or the
> receiving OpenPGP implementation some information about how to decode
> or use the message. [5]
I can't see how "Version: GnuPG v2" tells me or an OpenPGP
implementation "how to decode or use the message".
Let's just drop it.
1. https://datatracker.ietf.org/doc/minutes-96-openpgp/
2. https://tools.ietf.org/html/rfc7258
3. https://riseup.net/en/security/message-security/openpgp/best-practices
4. https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf
5. https://tools.ietf.org/html/rfc4880#page-55
--
ilf
Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
-- Eine Initiative des Bundesamtes für Tastaturbenutzung
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: </pipermail/attachments/20160805/de2d23b6/attachment.sig>
More information about the Gnupg-devel
mailing list