On Thu, Jun 6, 2024 at 10:14 PM Nikolaos Chatzikonstantinou <nchatz...@gmail.com> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Thu, Jun 6, 2024 at 6:38 PM Brad House via c-ares > <c-ares@lists.haxx.se> wrote: > > > > On 6/6/24 6:11 PM, Nikolaos Chatzikonstantinou via c-ares wrote: > > > > > > > > Hello, congrats on the update. I don't mean to be annoying but the > > > introduction of a new key should be in an email signed by the old key. > > > The download page could clarify also which versions are expected to be > > > signed by either key and which are only by Daniel, e.g. from >=1.30 > > > both keys are valid. This is probably in the changelog or NEWS file > > > (if not please add) but I didn't check. > > > > > I'm pretty sure the mailing list updates too many aspects of the message > > for a signed email to properly pass through and be able to be > > validated. Maybe I'm wrong here. If I'm right though, what other way > > could we "prove" my key is allowed to be used? > > If the MTA mangles PGP/MIME there's > <https://datatracker.ietf.org/doc/draft-dkg-openpgp-pgpmime-message-mangling/> > for some ways to deal with a mangled message. You don't have to use > PGP/MIME, Daniel can just enclose his message in an inline signature > with `gpg --clearsign`. I've sent this e-mail signed, as an example. > My fingerprint is ED32 5C3D 9DFE 5B0A BECE 4021 719B 12FD F9F9 6069, > but you should have my fingerprint (or public key) transmitted to you > out-of-band (meaning, with a different method) because it is trivial > for someone to take this e-mail, strip the signature, modify the > fingerprint, and then re-sign it. If Daniel sends an e-mail, he > doesn't have to worry about this, anyone who really cares can go > through the pain of obtaining his key out-of-band through a secure > channel (if they don't already have it), but what matters is that > Daniel verifies you to be authorized as a signer for c-ares, and those > who trust Daniel can now trust you too. > > > I did briefly discuss with Daniel about him signing my key with his as a > > way to indicate some level of trust in my key, since we're across the > > ocean from eachother we'd need to do ID verification via a video chat. > > We just haven't gotten around to that yet, would that "suffice"? > > Signing keys does not tell you anything, you need to have the context > too (the context explains what the key is), which also needs to be > signed. (Confusingly in PGP there's the web of trust where users sign > keys together with an indicated level of trust.) > > Regards, > Nikolaos Chatzikonstantinou > -----BEGIN PGP SIGNATURE----- > > iHUEARYKAB0WIQT+qiF+WQ7fQkkAb/UJFDAFinzxjQUCZmJs3AAKCRAJFDAFinzx > jch0AP4gzqFCfgck6fBcpiLOnxYK7GdQHX1GXsND3j+nWMAHDQD+Lh7VM+5ONg9c > dOga1QWYPR4fWYp6WisLFRtrDqIxWgE= > =gDSN > -----END PGP SIGNATURE-----
Nice! As soon as I tried to demonstrate it, both the signature and the contents were mangled by gmail. Well, you know what, just attach a signature file with `gpg --sign --detach`. Sigh, how comedic. Regards, Nikolaos Chatzikonstantinou -- c-ares mailing list c-ares@lists.haxx.se https://lists.haxx.se/mailman/listinfo/c-ares