formatting of gpg blocks

Jerome Baum jerome at jeromebaum.com
Sun Jun 19 20:47:39 CEST 2011 

>> This is needed to make sure OpenPGP (i.e. gnupg) doesn't misinterpret stuff inside the block. Imagine enclosing some signed data inside a
>> signed block. How does gnupg tell apart the "END" lines from the
>> inner/outer blocks?
>
> Is this design better than one allowing the last END line to be the
> closing one?

This could lead to ambiguities.

> I see that nested blocks are possible, but is this format documented
> somewhere?

OpenPGP standard, RFC 4880, section 6.

> I suppose I keep wondering where the format is described because when I
> first came across this, I spent a lot of time trying to import the
> public key embedded in a clear-signed message. I didn't realize that I
> needed to decrypt it until you mentioned it. And now I'm trying to learn
> how not to make that mistake again in general.

As a general recommendation, if the data is in OpenPGP format,
interpret it as such first. Then if there is other OpenPGP data
inside, use the interpreted version. Wrong interpretation ("taking
shortcuts") is what leads to all these XSS and injection
vulnerabilities we hear about every day. If your data is in format A,
use A's interpreter to understand it. If there's B inside ("A(B)"),
then use A's interpreter first, then B's interpreter. Your example is
just the case of A = B = OpenPGP.

>> Be careful to distinguish between data signatures (signing a message)
>> and certifications (signing a key). Are you trying to wrap a data
>> signature around the key? Unless you have a special use-case, that
>> probably doesn't make sense. Instead try to use a certification.
>
> I see. I read that it is a good practice to sign one's public key before
> giving it to other people. I thought they meant signing the key as a
> message. Now that you clarified this, I went to seahorse, Names and
> Signatures, sign key. It gives me a choice to let others see this
> signature. Should I allow that? I would also appreciate it, if you could
> explain how key certification is useful.

Whose key is it? When you make a signature (whether on key or data),
you need to be aware of what that signature says. Is this your key? It
should already be signed by default. Is this another person's key? Why
are you signing it? Have you verified that the key is valid? etc. Read
through http://www.gnupg.org/gph/en/manual.html to get a better
understanding -- before you make any certifications.

-- 
Jerome Baum
tel +49-1578-8434336
email jerome at jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA

More information about the Gnupg-users mailing list