Reading new key packages (Re: Coexistence with OpenPGP/IETF)
Andrew Gallagher
andrewg at andrewg.com
Sun Jan 7 19:28:10 CET 2024
On 7 Jan 2024, at 16:41, Nickolay Olshevsky via LibrePGP-discuss <librepgp-discuss at librepgp.org> wrote:
>
>
> I cannot say about the exact number but during my experience on some commercial OpenPGP library we had a lot of clients, including banking, financial and even military, who used to transfer data via automated and semi-automated processes, and it included usage of filename/mtime in the literal data packet. And even in the 2008-2010 those processes were already running for years and I doubt that something would rapidly change there if change at all.
Thanks, Nickolay.
So at this point my understanding is:
1. It is desirable to protect the literal metadata
2. v5 sigs differ from other versions because they include the metadata (for 0x0 and 0x1 sig types only)
3. Gnupg/librepgp would like to implement v6 sigs but will not do so without metadata protection
4. A method exists (subpacket 40) to add metadata protection to v4 sigs
5. A similar method could be used to add metadata protection to v6 sigs
Please correct me if any of the above are inaccurate?
A
More information about the LibrePGP-discuss
mailing list