gnupg --fetch-key problems

Werner Koch wk at gnupg.org
Tue Sep 1 21:17:24 CEST 2020


On Tue,  1 Sep 2020 14:27, Björn Jacke said:

> I talked with Wiktor about the http 1.0 issue in gpg and he also
> mentioned that a number of weird problems that people have reported with
> WKD in the past might be related to gpg talking http 1.0 only.

And what are with those servers which don't support 1.1 ?  Will that be
more than those 1.1 servers disabling 1.0 without any valid reasons?
There is more HTTP infrastructure out there than the standard servers.
RFC-7230 explicitly describes the versioning scheme and how it shall be
used.  Dirmngr does not feature the required 1.1 parts and thus it is
not okay to enable 1.1.

> You didn't mention the suggested libcurl yet - if you would use that you

We are glad that we could remove most of the duplicated code and library
duplication from the GnuPG code base.  Adding libcurl would pull in for
example OpenSSL, GnuTLS, GMP, Hogweed/Nettle, Kerberos, P11 Kit, and
libgcrypt.  The latter might even be a different version than what GnuPG
uses which is a very brittle thing and should be avoided.  

Granted, the standard Dirmngr on Linix also pulls in libldap and a
respective crypto lib which is not good either.  Any hints on hooks in
libldap to avoid this would be very appreciated.  Maybe we may need to
get back to a helper process for ldap.

> would not have to worry about the details of how to implement more
> modern http protocols in gpg.

We use only very basic HTTP features and won't follow any fashionable
new things - there is just no need for it and will only break things.
Well, if people voluntary break their HTTP infrastructure I would like
to learn what reasons are given for that.  Complexity is the worst
enemy of security.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200901/b02fecbb/attachment-0001.sig>


More information about the Gnupg-users mailing list