gpg: can't put a policy URL into v3 (PGP 2.x style) signature

Atom 'Smasher' atom-gpg at suspicious.org
Sat Apr 10 20:33:04 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > > PGP compatibility.  No version of PGP before 8 can reliably handle v4
> > > signatures.
> > =======================
> >
> > then this looks like a typo in the man page...
> >
> > 	--force-v3-sigs
> > 	--no-force-v3-sigs
> > 		OpenPGP states that an implementation should generate v4 sig-
> > 		natures but PGP versions 5 through 7 only recognize v4 signa-
> > 		tures on key material.  This option forces v3 signatures  for
> > 		signatures  on  data.  Note that this option overrides --ask-
> > 		sig-expire, as v3 signatures cannot  have  expiration  dates.
> > 		--no-force-v3-sigs disables this option.
>
> Where is the typo?
========================================

logic dictates that these statements can not both be correct:

* "No version of PGP before 8 can reliably handle v4 signatures."
	-- dshaw

* "PGP versions 5 through 7 only recognize v4 signatures on key material."
	-- gpg (1.2.4) man page

assuming that you [dave] are correct, then the man page must be wrong.


> > also, this seems like a deviation from the usual behavior, that if there's
> > a "--force-xyz" and a "--no-force-xyz", the "--no-force-xyz" is usually
> > the default, unless otherwise specified.
>
> The default is just the one that is most appropriate.  There is no
> standard behavior to have the "no" value be the default.  Note
> "--escape-from", "--mangle-dos-filenames", and "--ask-cert-level" are
> also default-to-yes.
====================================

that seems like a slight (very slight!) deviation from the RFC (5.2):
	Implementations SHOULD generate V4 signatures.  Implementations
	MAY generate a V3 signature that can be verified by PGP 2.6.x.

obviously not a catastrophic deviation, but i didn't see it mentioned
anywhere... not even doc/gnupg/OpenPGP.

i would think that the same thing could be accomplished in a more
RFC-compliant (and easier to figure out) way by making the default
behavior to use v4 signatures, but including "force-v3-sigs" in the
default config file. (IMHO) that would keep the application closer to the
RFC ideal, but in practice it would still be compatible with older
versions of PGP(tm).

if there are only a few yes/no options that default "yes", then i'd like
to request that the man page specify that those options (that you list
above) default to "yes", while all of the other yes/no options default to
"no". or... each yes/no option should explicitly state (in the man page)
what it defaults to, and if it's overridden in the default config file.
the default config file would also be a good place to explain why a
default would be overridden, as with the case of why v3 signatures are
generated.


        ...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
 -------------------------------------------------

	"I spent 33 years and four months in active service in the
	 country's most agile military force, the Marines. I served
	 in all ranks from second lieutenant to major general. And
	 during that period I spent most of my time being a
	 high-class muscle man for Big Business, for Wall Street and
	 the bankers. In short, I was a racketeer, a gangster for
	 capitalism.

	"I suspected I was just part of a racket at the time. Now I am
	 sure of it. Like all members of the military profession I
	 never had an original thought until I left the service. My
	 mental faculties remained in suspended animation while I
	 obeyed the orders of the higher-ups. This is typical with
	 everyone in the military service.

	"Thus I helped make Mexico, and especially Tampico, safe for
	 American oil interests in 1914. I helped make Haiti and Cuba
	 a decent place for the National City Bank boys to collect
	 revenue in. I helped in the raping of half-a-dozen Central
	 American republics for the benefit of Wall Street. The
	 record of racketeering is long. I helped purify Nicaragua for
	 the international banking house of Brown Brothers and Co. in
	 1909-1912. I brought light to the Dominican Republic for the
	 sugar interests in 1916. I helped make Honduras "right" for
	 American fruit companies in 1903. In China in 1927 I helped
	 see to it that Standard Oil went its way unmolested.

	"During those years, I had, as the boys in the back room would
	 say, a swell racket. I was rewarded with honors, medals, and
	 promotion. Looking back on it, I feel that I might have given
	 Al Capone a few hints. The best he could do was to operate a
	 racket in three city districts. The Marines operated on three
	 continents."
		-- Smedley D. Butler, (1881-1940)
		Major Gen U.S. Marines
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -  http://atom.smasher.org/links/#digital_signatures

iEYEARECAAYFAkB4PeQACgkQnCgLvz19QeOregCfY6yD3hqjaP4t5DLeF3DP+Xjk
uW0AoI8W7WacjEup/YUmOJEhrcBqomx+
=ZItX
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list