Reading new key packages
Werner Koch
wk at gnupg.org
Fri Jan 19 09:47:26 CET 2024
Hi Heiko,
On Thu, 18 Jan 2024 22:10, Heiko Schäfer said:
> draft-ietf-openpgp-crypto-refresh. For example enabling GnuPG users to
> verify signatures made by crypto-refresh users?
Actually I tried to implement that and even have some wording in the
latest LibrePGP draft for this. However, I had stopped this effort
after I realized that the crypto-refresh dropped that bug fix to cover
the meta data from the literal data packet by the signature.
If we would implement that we need to do this
if (signature version < 5 or is 6 and has meta data)
Print warning that meta data is not protected
else
No need to print a warning becuase it is covered by the signature.
Further the presence of a signature salt would also render the signature
bad given that GnuPG tries to help organizations to protect their
communication also from insiders by minimizing covert channels.
The involved complexity for the above check is not that high so, thus it
might eventually be done.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://librepgp.org/pipermail/librepgp-discuss/attachments/20240119/017b040e/attachment.sig>
More information about the LibrePGP-discuss
mailing list