embedded public key in signature as in smime.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jan 8 23:21:58 CET 2013

On 01/08/2013 05:02 PM, Uwe Brauer wrote:
> Are there any plans to modify the signature (backward compatible?) such
> that it contains the public key embedded as in smime?

Not that i know of.  Why do you think this would be useful?

You could do all of this within the existing OpenPGP specification, but
to make it actually useful (and not just bloat your signatures in ways
that no one else bothers to take advantage of) you might want to modify
GnuPG a bit.

Here are some thoughts on how you might approach it if you think this is
a worthwhile goal.

OpenPGP notations: https://tools.ietf.org/html/rfc4880#section-

To send this sort of thing, you'd just need to pick a standard name for
the notation, and use gpg's --sig-notation argument in some reasonable
way.  Reading gpg(1), it seems like you might want to extend the
%-escaping to make some code (e.g. %X) include the full key in some format.

That's just the sending side.  then you'd have to take care of the
receiving side.

If you wanted gpg to interpret something like this automatically, you'd
need to consider the concern that now the previously read-only activity
of evaluating a signature has side effects that might modify your
keyring.  This is has some of the same issues (except for the "web bug"
concern) as gpg's "--keyserver-options auto-key-retrieve" option, as
well as "--verify-options pka-lookups" though, so it has some precedent
in the existing codebase.

So to extend gpg, you might add some other --verify-options directive
like import-embedded-key-notation.

make sense?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130108/1f9283e5/attachment.pgp>

More information about the Gnupg-users mailing list