Re: Best Keyserver
On Fri, 2020-05-15 at 16:52 -0700, Mark wrote: > I know this may be a subjective question but what is the best keyserver > to use? I use GPG4Win with the Enigmail plugin for Thunderbird. The > keyservers listed in Enigmail are: > > vks://keys.openpgp.org, hkps://hkps.pool.sks-keyservers.net, > hkps://pgp.mit.edu > > The keyserver that is used in Kelopatra (GPG4Win) is: > > hkp://keys.gnupg.net $ host keys.gnupg.net keys.gnupg.net is an alias for hkps.pool.sks-keyservers.net. -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Best Keyserver
I know this may be a subjective question but what is the best keyserver to use? I use GPG4Win with the Enigmail plugin for Thunderbird. The keyservers listed in Enigmail are: vks://keys.openpgp.org, hkps://hkps.pool.sks-keyservers.net, hkps://pgp.mit.edu The keyserver that is used in Kelopatra (GPG4Win) is: hkp://keys.gnupg.net I would think it would be a good idea for both to be configured to use the same keyserver, so which one is "the best" Thanks ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
Peter Pentchev wrote: > On Fri, May 15, 2020 at 10:54:32PM +0200, Stefan Claas wrote: > > You know what, the most interesting thing of this ML for me is that > > when people, do a request or suggestion the old guard is always > > there to defend some standard and are not accepting that a new > > product on the OpenPGP market, with a new feature included, add an > > enrichment to a given standard, which people may like to use and > > appreciate. > > OK, but *how* is it an enrichment? What does a UID-less key provide > over a randomly-generated UID? Why go to the bother of supporting a > new special case when you can get the same result in another way, > with zero additional code in any of the existing implementations and > only a couple more lines of code in the special client that will have > to generate a random UID? Fact is this function is available for users of OpenPGP software. We should better think of how this will pan out in the future, if users start to use OpenPGP software with UID-less public keyblocks and how GnuPG users can interact with them, or not? Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Fri, May 15, 2020 at 10:54:32PM +0200, Stefan Claas wrote: > Peter Pentchev wrote: > > > On Fri, May 15, 2020 at 07:07:40PM +0200, Stefan Claas wrote: > > > > Mind you, I have only asked that GnuPG should support the import and > > > processing of UID-less public key blocks and did not requested that > > > this should be a default behaviour in the key generation process. > > > > And the answer has been given: because those blocks violate the > > OpenPGP standard and, as I understand Robert J. Hansen (and I > > apologize to him if I'm putting the wrong words into his mouth), his > > position is that there is no reason for this violation to exist at > > all, there is no reason for UID-less key blocks to exist at all, so > > GnuPG is quite right in following the OpenPGP standard and not > > accepting them. > > You know what, the most interesting thing of this ML for me is that > when people, do a request or suggestion the old guard is always there > to defend some standard and are not accepting that a new product on the > OpenPGP market, with a new feature included, add an enrichment to a > given standard, which people may like to use and appreciate. OK, but *how* is it an enrichment? What does a UID-less key provide over a randomly-generated UID? Why go to the bother of supporting a new special case when you can get the same result in another way, with zero additional code in any of the existing implementations and only a couple more lines of code in the special client that will have to generate a random UID? G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
Peter Pentchev wrote: > On Fri, May 15, 2020 at 07:07:40PM +0200, Stefan Claas wrote: > > Mind you, I have only asked that GnuPG should support the import and > > processing of UID-less public key blocks and did not requested that > > this should be a default behaviour in the key generation process. > > And the answer has been given: because those blocks violate the > OpenPGP standard and, as I understand Robert J. Hansen (and I > apologize to him if I'm putting the wrong words into his mouth), his > position is that there is no reason for this violation to exist at > all, there is no reason for UID-less key blocks to exist at all, so > GnuPG is quite right in following the OpenPGP standard and not > accepting them. You know what, the most interesting thing of this ML for me is that when people, do a request or suggestion the old guard is always there to defend some standard and are not accepting that a new product on the OpenPGP market, with a new feature included, add an enrichment to a given standard, which people may like to use and appreciate. Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Fri, May 15, 2020 at 10:33:12PM +0300, Peter Pentchev wrote: > On Fri, May 15, 2020 at 07:07:40PM +0200, Stefan Claas wrote: > > Robert J. Hansen wrote: > > > > > > We now have the situation that either parents or teachers, etc. can > > > > choose between a software which allows UID-less public key > > > > generation, for their minors / students, themselves... > > > > > > They are free to use whatever identifier they like for a UID, even > > > just the key ID. A UID-free certificate is in no way required for > > > user privacy. > > > > > > You're being dishonest. I hate to say that, but I believe it's true. > > > You insist on pretending that you're the only one concerned about > > > privacy and that UID-free certificates are necessary for privacy of > > > personally identifying information. The reality is the UID system in > > > no way requires personally identifying information and everyone you're > > > accusing of not caring about privacy cares a great deal about it. > > > > > > You're being dishonest. Please stop. > > > > Mind you, I have only asked that GnuPG should support the import and > > processing of UID-less public key blocks and did not requested that > > this should be a default behaviour in the key generation process. > > And the answer has been given: because those blocks violate the OpenPGP > standard and, as I understand Robert J. Hansen (and I apologize to him > if I'm putting the wrong words into his mouth), his position is that > there is no reason for this violation to exist at all, there is no > reason for UID-less key blocks to exist at all, so GnuPG is quite right > in following the OpenPGP standard and not accepting them. ...and he actually said pretty much that in 06a65d70-6d01-6de0-ec03-c841d64c8...@sixdemonbag.org :) G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Fri, May 15, 2020 at 07:07:40PM +0200, Stefan Claas wrote: > Robert J. Hansen wrote: > > > > We now have the situation that either parents or teachers, etc. can > > > choose between a software which allows UID-less public key > > > generation, for their minors / students, themselves... > > > > They are free to use whatever identifier they like for a UID, even > > just the key ID. A UID-free certificate is in no way required for > > user privacy. > > > > You're being dishonest. I hate to say that, but I believe it's true. > > You insist on pretending that you're the only one concerned about > > privacy and that UID-free certificates are necessary for privacy of > > personally identifying information. The reality is the UID system in > > no way requires personally identifying information and everyone you're > > accusing of not caring about privacy cares a great deal about it. > > > > You're being dishonest. Please stop. > > Mind you, I have only asked that GnuPG should support the import and > processing of UID-less public key blocks and did not requested that > this should be a default behaviour in the key generation process. And the answer has been given: because those blocks violate the OpenPGP standard and, as I understand Robert J. Hansen (and I apologize to him if I'm putting the wrong words into his mouth), his position is that there is no reason for this violation to exist at all, there is no reason for UID-less key blocks to exist at all, so GnuPG is quite right in following the OpenPGP standard and not accepting them. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On 15.05.2020 16:43, Andrew Gallagher wrote: > The inputs to the WoT are the signatures and the ownertrust values, and > the outputs are UID validities. "Key validity" is neither an input nor a > meaningful output of the system. Key validity directly influences the "WARNING: This key is not certified with sufficiently trusted signatures" message that I think is pretty significant for end-users. If it wasn't meaningful it wouldn't be printed in the --edit-key dialog. > It is useful only as an intermediate > step, together with the ownertrust, in the calculation of another UID's > validity. The practical outworking of any validity calculation is not > "Is this key valid?" but "Is this key valid for this UID?". The argument could be reversed stating that "User ID validity is useful only as an intermediate step to calculate key validity" and we wouldn't draw any new knowledge from this. My original point was that key validity exists. Also: thanks for bringing my mental shortcut to technical correctness: > It takes one fully trusted certifier (*), or three marginally trusted > certifiers (*) on the *same UID*, for a UID to be considered valid. This could of course be further refining by mentioning ownertrust or that 0x11: Persona certifications do not contribute to this or that trust signatures affect the algorithm or... Kind regards, Wiktor -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
Robert J. Hansen wrote: > > We now have the situation that either parents or teachers, etc. can > > choose between a software which allows UID-less public key > > generation, for their minors / students, themselves... > > They are free to use whatever identifier they like for a UID, even > just the key ID. A UID-free certificate is in no way required for > user privacy. > > You're being dishonest. I hate to say that, but I believe it's true. > You insist on pretending that you're the only one concerned about > privacy and that UID-free certificates are necessary for privacy of > personally identifying information. The reality is the UID system in > no way requires personally identifying information and everyone you're > accusing of not caring about privacy cares a great deal about it. > > You're being dishonest. Please stop. Mind you, I have only asked that GnuPG should support the import and processing of UID-less public key blocks and did not requested that this should be a default behaviour in the key generation process. It is also interesting when you folks seem to run out of arguments that you try to get personal, but I don't mind and stop, as per request! :-) > > or a software which does not accept this and has no guidelines for > > free-form UIDs in their FAQ / man page, nor an equal treatment in > > the standard key generation process. > > If you want the documentation to reflect PII-free UIDs, please say > that. This could be a useful discussion. If the community believes > PII-free UIDs should be in the FAQ I will happily write up an entry > for it. Please discuss it with the community and try to add it later to the documentation as equally treated, in the key generation process. Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new subscriber
On Fri, May 15, 2020 at 05:58:51AM -0700, Arthur wrote in <5d1e3dd6e2e4c31ae60ec2a938a53342.squirrel@giyzk7o6dcunb2ry.onion>: Hi, I'm checking if my subscription is valid. Your subscription is... This message has been digitally signed by Arthur Dasaviour ...your signature is not. Just writing that you've signed something does not make it so (from a gnupg perspective). signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
> We now have the situation that either parents or teachers, etc. can > choose between a software which allows UID-less public key > generation, for their minors / students, themselves... They are free to use whatever identifier they like for a UID, even just the key ID. A UID-free certificate is in no way required for user privacy. You're being dishonest. I hate to say that, but I believe it's true. You insist on pretending that you're the only one concerned about privacy and that UID-free certificates are necessary for privacy of personally identifying information. The reality is the UID system in no way requires personally identifying information and everyone you're accusing of not caring about privacy cares a great deal about it. You're being dishonest. Please stop. > or a software which does not accept this and has no guidelines for > free-form UIDs in their FAQ / man page, nor an equal treatment in the > standard key generation process. If you want the documentation to reflect PII-free UIDs, please say that. This could be a useful discussion. If the community believes PII-free UIDs should be in the FAQ I will happily write up an entry for it. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
Robert J. Hansen wrote: > > GnuPG always asks IIRC new users for their Name and email address > > and does not tell them in advance that they can use a free form UID, > > without an email address, thus being able to use a key for multiple > > accounts or purposes, without adding additional UIDs. > > It is not the job of the command-line interface to teach users the > subtleties and nuances of OpenPGP. If users want to know the many > different ways GnuPG can be used they need to read the documentation. > > If you think this use-case is important enough it should go in the > manpage or FAQ, let's discuss that. But the command-line user > interface is the wrong place to be teaching people about unusual use > cases. We now have the situation that either parents or teachers, etc. can choose between a software which allows UID-less public key generation, for their minors / students, themselves, or a software which does not accept this and has no guidelines for free-form UIDs in their FAQ / man page, nor an equal treatment in the standard key generation process. Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Fri, 15 May 2020 14:35, Ingo Klöcker said: > UIDs. No UID -> invalid key. Why do you want to be able to import a key in > GnuPG that would be utterly unusable? FWIW, the expiration time of a key is also bound to the user-id as well as key preferences and all kind of other possiblke gadgets. And no, a direct-key signature is no replacement for this. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
new subscriber
Hi, I'm checking if my subscription is valid. I look forward to hearing from you. This message has been digitally signed by Arthur Dasaviour ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On 15/05/2020 14:34, Wiktor Kwapisiewicz wrote: > > When you sign someone else User ID it's not your User ID that is doing > the signing it it's your key that's why you need a key validity that's > separated from User ID (key validity is calculated from User ID validity). The inputs to the WoT are the signatures and the ownertrust values, and the outputs are UID validities. "Key validity" is neither an input nor a meaningful output of the system. It is useful only as an intermediate step, together with the ownertrust, in the calculation of another UID's validity. The practical outworking of any validity calculation is not "Is this key valid?" but "Is this key valid for this UID?". Also, the following is incorrect: > Third-party signatures are made for key fingerprint and User ID but then > it takes one fully trusted UID (or 3 marginally by default) for the key > to be considered valid. It takes one fully trusted certifier (*), or three marginally trusted certifiers (*) on the *same UID*, for a UID to be considered valid. Three different UIDs of the same key signed by marginal certifiers do not increase the validity of the key, otherwise increasing the number of UIDs on a key could boost its validity, which is perverse. ;-) (* certification by a key that has at least one valid UID and (full|marginal) ownertrust) -- Andrew Gallagher ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On 15.05.2020 15:21, Andrew Gallagher wrote: > Ownertrust is per-key, but validity is per-UID. Andrew there are two validity values: $ gpg --edit-key andrewg pub rsa4096/FB73E21AF1163937 created: 2013-07-02 expires: 2021-01-07 usage: SCA --> trust: unknown validity: marginal <--- here (A) sub rsa4096/6B09069314549D4B created: 2013-07-02 expires: 2021-01-07 usage: E sub rsa4096/5C1EC404D5906629 created: 2015-04-26 expires: 2021-01-07 usage: S sub rsa4096/85FDF561DA8C0C46 created: 2015-04-26 expires: 2021-01-07 usage: A [marginal] (1). Andrew Gallagher <-- and here (B) [marginal] (2) Andrew Gallagher Value from (A) is calculated from User IDs (B). When you sign someone else User ID it's not your User ID that is doing the signing it it's your key that's why you need a key validity that's separated from User ID (key validity is calculated from User ID validity). Kind regards, Wiktor -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
> GnuPG always asks IIRC new users for their Name and email address > and does not tell them in advance that they can use a free form UID, > without an email address, thus being able to use a key for multiple > accounts or purposes, without adding additional UIDs. It is not the job of the command-line interface to teach users the subtleties and nuances of OpenPGP. If users want to know the many different ways GnuPG can be used they need to read the documentation. If you think this use-case is important enough it should go in the manpage or FAQ, let's discuss that. But the command-line user interface is the wrong place to be teaching people about unusual use cases. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
> Certainly there are many reasons to extend the standard, which is not > set in stone and which is not a politically adopted law, for meaningful > things. Yes. If you want to talk about changing the standard please bring it up to the proper mailing list. Here is not the place for it. If you can persuade people to change the standard I'll be wildly in favor of GnuPG implementing the standard. > Of course, a program author has the right to design his program as he > sees fit, but please don't be surprised if far-sighted pioneers expand > this standard to meet the needs of a user base who would also like to > use this standard. This is irrelevant. We're talking about what GnuPG should do if someone specifies strict RFC conformance. The answer to that question is simple: it should strictly conform to the RFC and treat UID-free certificates as the malformed entities they are. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On 15/05/2020 14:01, Wiktor Kwapisiewicz via Gnupg-users wrote: > AFAIK key validity and owner trust are per key not per User ID. Ownertrust is per-key, but validity is per-UID. On my local machine `gpg --list-keys wik...@metacode.biz` shows: ``` pub rsa4096/0x6C8857E0D8E8F074 2017-01-01 [C] [expires: 2021-01-01] Key fingerprint = 6539 09A2 F0E3 7C10 6F5F AF54 6C88 57E0 D8E8 F074 uid [ unknown] Wiktor Kwapisiewicz uid [ unknown] [unknown attribute of size 83] sub rsa4096/0xB97A1EE09DB417EC 2017-10-18 [S] [expires: 2021-01-01] sub rsa2048/0x60D2F50529E2DE4F 2018-07-06 [E] [expires: 2021-01-01] sub rsa2048/0x97FDEF34DAB8F82B 2018-07-06 [S] [expires: 2021-01-01] sub rsa2048/0x3B6DFCC964CFEBC4 2018-07-06 [A] [expires: 2021-01-01] ``` Each of those `[ unknown]`s represents the validity of that particular UID only. I could right now add a new UID to my primary key. The invalidity of would not invalidate . -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
I think we are conflating two related but distinct ideas here. On 15/05/2020 13:35, Ingo Klöcker wrote: > Why do you want to be able to import a key in > GnuPG that would be utterly unusable? There are use cases where you might want to transfer only the modifications to a key, without necessarily distributing the entire key. Publicly revoking a primary key without disclosing its user IDs, for example. But this is distinct from being able to create a new key with no user IDs at all, which I see no reasonable use for - if your user ID is sensitive, then use an alias. Even in the use case described above the keys have aliases. -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
Hi Ingo, On 15.05.2020 14:35, Ingo Klöcker wrote: > Because in GnuPG the validity of keys is bound to validity and owner trust of > UIDs. No UID -> invalid key. Why do you want to be able to import a key in > GnuPG that would be utterly unusable? AFAIK key validity and owner trust are per key not per User ID. Third-party signatures are made for key fingerprint and User ID but then it takes one fully trusted UID (or 3 marginally by default) for the key to be considered valid. And then if that valid key signs some other User ID the process starts anew. For signing other keys only the primary key is needed, not User IDs. The distinction is important because it affects only the Web of Trust and only in one way. That is if you owner-trusted that UID-less key it could become trust introducer in your WoT. Also you could encrypt to that key and verify signatures just fine (it just wouldn't display anything meaningful). Is this useful? I'm not sure, but wanted to point out this one detail. Kind regards, Wiktor -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Freitag, 15. Mai 2020 13:29:31 CEST Stefan Claas wrote: > What I don't understand is why you are not liking the idea to allow > GnuPG to automatically import and process UID-less public key blocks, > if people who trust the GnuPG brand ask for this? Because in GnuPG the validity of keys is bound to validity and owner trust of UIDs. No UID -> invalid key. Why do you want to be able to import a key in GnuPG that would be utterly unusable? > GnuPG always asks IIRC new users for their Name and email address > and does not tell them in advance that they can use a free form UID, > without an email address, thus being able to use a key for multiple > accounts or purposes, without adding additional UIDs. To cite Robert J. Hansen: "Unless you know what you're doing and why, use the defaults." Consequently, it's a good thing that GnuPG, by default, doesn't bother new users with difficult decisions. Regards, Ingo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
Werner Koch wrote: > On Thu, 14 May 2020 23:01, Stefan Claas said: > > > you would consider including it in GnuPG too and reflecting it in > > the respective RFC? > > The User-IDs are an integral part of OpenPGP and at the core of its > design. All kind of important information is bound to the user ids > and thus a key w/o a user ID is basically useless. I understand that a UID is an integral part, for example if people need a certification from a trusted CA, which usually requires a full name and email address. What I don't understand is why you are not liking the idea to allow GnuPG to automatically import and process UID-less public key blocks, if people who trust the GnuPG brand ask for this? Nobody is asking for UID-less key creation as default behavior. > There is one exception for this: Derek Atkins (one of the original PGP > authors) requested certain features to allow the use of a stripped > down OpenPGP key by space and CPU constrained devices. We integrated > this into the standard because it is better to use even a stripped > down format than to come up with just another format. > > Direct key signatures were never intended to replace User-IDs and > their self-signatures. > > And no, it is not a privacy issue. If you don't want to put your name > or mail address into the user ID, just don't do it but use a random > string or even the keys fingerprint. For the majority of use cases a > mail address is still the best way to identify and even lookup a key. GnuPG always asks IIRC new users for their Name and email address and does not tell them in advance that they can use a free form UID, without an email address, thus being able to use a key for multiple accounts or purposes, without adding additional UIDs. Best regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
keys require a user-id (was: Comparison of RSA vs elliptical keys)
On Thu, 14 May 2020 23:01, Stefan Claas said: > you would consider including it in GnuPG too and reflecting it in the > respective RFC? The User-IDs are an integral part of OpenPGP and at the core of its design. All kind of important information is bound to the user ids and thus a key w/o a user ID is basically useless. There is one exception for this: Derek Atkins (one of the original PGP authors) requested certain features to allow the use of a stripped down OpenPGP key by space and CPU constrained devices. We integrated this into the standard because it is better to use even a stripped down format than to come up with just another format. Direct key signatures were never intended to replace User-IDs and their self-signatures. And no, it is not a privacy issue. If you don't want to put your name or mail address into the user ID, just don't do it but use a random string or even the keys fingerprint. For the majority of use cases a mail address is still the best way to identify and even lookup a key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
Robert J. Hansen wrote: > > When you work in compliance mode it should be IHMO possible that > > people wishing to communicate with you (from foreign countries) and > > may have a different opinion about privacy, > > Sure. And if they're important enough for me to justify breaking > compliance, I am perfectly capable of removing the "rfc4880" flag from > my gpg.conf file. > > There is no excuse for willfully breaking RFC4880 compliance *when the > user has explicitly requested strict compliance*. Certainly there are many reasons to extend the standard, which is not set in stone and which is not a politically adopted law, for meaningful things. Of course, a program author has the right to design his program as he sees fit, but please don't be surprised if far-sighted pioneers expand this standard to meet the needs of a user base who would also like to use this standard. Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
