Making the case for smart cards for the average user
Ben McGinnes
ben at adversary.org
Tue Apr 7 17:07:18 CEST 2015
On 8/04/2015 12:41 am, MFPA wrote:
>
>> allowing them to drop the standard format of "name
>> <email at example.net>" and then they're shocked that doing so might
>> produce unintended consequences?
>
> Don't know about "shocked", but unintended consequences for a
> non-standard UID scheme was indeed the issue.
>
> The OP started this thread with a plug for his version of the GnuPG
> smart card. Part of his scheme was to generate keys with a simplified
> UID format that contained just an email address.
Said OP needs to spend about a year running an SMTP server before
making a design decision like that, but anyway.
>> Perhaps I'm being unreasonable, but surely if you go out of your
>> way to make sure that a particular pattern does *not* appear in
>> your UID then it is intended that searching on that pattern should
>> not match your UID. Now granted, that intention may have been
>> poorly considered by said key owner,
>
> I pointed out that at least one MUA sends the email address enclosed
> in angle brackets as the search string for GnuPG to locate the key. No
> angle brackets around the email address means no key found. The OP
> reconsidered his scheme and added the angle brackets. Issue resolved.
Good.
>> but I'd hardly call it a bug in GPG for not anticipating that.
>> After all, all it is doing is matching the pattern specified by the
>> owner of the key.
>
> Nor would I. But if somebody creates a key UID with just a bare email
> address, is it sensible to accept that email address as a match when
> selecting keys?
Ah, but if it is truly just the email address then is it sitting in
the email field of the UID or the name field? If it's the latter then
you could match any part of it you liked normally. An email client is
likely to have a small fit at that point, but the email client is
designed to interact with a specific set of transmission protocols, in
this case SMTP. So if a GPG user wants a UID that does not meet the
criteria for SMTP addressing then the GPG user can't expect it to work
automatically. As for a vendor foisting poor configuration on end
users ... well, the instinctive reaction is to reach for a LART, but
that won't be necessary really because that vendor will be out of
business within a year.
Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150408/1ed582ea/attachment.sig>
More information about the Gnupg-users
mailing list