-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, Jun 6, 2024 at 6:38 PM Brad House via c-ares <c-ares@lists.haxx.se> wrote: > > On 6/6/24 6:11 PM, Nikolaos Chatzikonstantinou via c-ares wrote: > > > > > Hello, congrats on the update. I don't mean to be annoying but the > > introduction of a new key should be in an email signed by the old key. > > The download page could clarify also which versions are expected to be > > signed by either key and which are only by Daniel, e.g. from >=1.30 > > both keys are valid. This is probably in the changelog or NEWS file > > (if not please add) but I didn't check. > > > I'm pretty sure the mailing list updates too many aspects of the message > for a signed email to properly pass through and be able to be > validated. Maybe I'm wrong here. If I'm right though, what other way > could we "prove" my key is allowed to be used?
If the MTA mangles PGP/MIME there's <https://datatracker.ietf.org/doc/draft-dkg-openpgp-pgpmime-message-mangling/> for some ways to deal with a mangled message. You don't have to use PGP/MIME, Daniel can just enclose his message in an inline signature with `gpg --clearsign`. I've sent this e-mail signed, as an example. My fingerprint is ED32 5C3D 9DFE 5B0A BECE 4021 719B 12FD F9F9 6069, but you should have my fingerprint (or public key) transmitted to you out-of-band (meaning, with a different method) because it is trivial for someone to take this e-mail, strip the signature, modify the fingerprint, and then re-sign it. If Daniel sends an e-mail, he doesn't have to worry about this, anyone who really cares can go through the pain of obtaining his key out-of-band through a secure channel (if they don't already have it), but what matters is that Daniel verifies you to be authorized as a signer for c-ares, and those who trust Daniel can now trust you too. > I did briefly discuss with Daniel about him signing my key with his as a > way to indicate some level of trust in my key, since we're across the > ocean from eachother we'd need to do ID verification via a video chat. > We just haven't gotten around to that yet, would that "suffice"? Signing keys does not tell you anything, you need to have the context too (the context explains what the key is), which also needs to be signed. (Confusingly in PGP there's the web of trust where users sign keys together with an indicated level of trust.) Regards, Nikolaos Chatzikonstantinou -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQT+qiF+WQ7fQkkAb/UJFDAFinzxjQUCZmJs3AAKCRAJFDAFinzx jch0AP4gzqFCfgck6fBcpiLOnxYK7GdQHX1GXsND3j+nWMAHDQD+Lh7VM+5ONg9c dOga1QWYPR4fWYp6WisLFRtrDqIxWgE= =gDSN -----END PGP SIGNATURE----- -- c-ares mailing list c-ares@lists.haxx.se https://lists.haxx.se/mailman/listinfo/c-ares
