IETF Logo Mail Archive

Re: [openpgp] Combining signature with signer's public key

holger krekel <holger@merlinux.eu> Fri, 11 December 2020 08:31 UTC

Return-Path: <holger@merlinux.eu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17DC93A0127 for <openpgp@ietfa.amsl.com>; Fri, 11 Dec 2020 00:31:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=merlinux.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrwkVh06_P3y for <openpgp@ietfa.amsl.com>; Fri, 11 Dec 2020 00:31:20 -0800 (PST)
Received: from merlinux.eu (hq6.merlinux.eu [IPv6:2a01:4f9:c010:78bc::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A33E3A00F7 for <openpgp@ietf.org>; Fri, 11 Dec 2020 00:31:19 -0800 (PST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by merlinux.eu (Postfix) with ESMTPSA id 1192E4004E; Fri, 11 Dec 2020 09:31:18 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=merlinux.eu; s=lists; t=1607675478; h=from:subject:date:to; bh=+ynpZV4ASKJ77UTjwwJnJ1fG6O+RNL8yoNy8630wz/Y=; b=d9c1jDpfjNbT+3AqCRnZFbQvpCb7udsd4JNlnhj6g5qLLSA1k1o/6mbUI6cmDF6MlNo9AF 1U6gstuEH8qAMHxVyznAjxwD7j4HIz4dyjYB5eyHLeOBxArjdldJ27fr2TiCS5xwS5nmqr D59xSA6EfeK8ZDW8iUUViT2DPRYN7y8JBdtFiztYP8eQWcK7FYA2AxqPS/S246tOMzDMVd t9BlJsoInT7vbMa3YsF+mvBWGZN2KkiAqssffQW+fo+WfDcCugWQXM0vBkAZK9RlCAnaPg DXEdB3iHCKmWiVIV84GAay2TMqO84ZVXo94o9k4weuOYjFpar0g0A/kgyuFoeA==
Received: by beto.merlinux.eu (Postfix, from userid 1000) id B2BF9124009E; Fri, 11 Dec 2020 09:31:14 +0100 (CET)
Date: Fri, 11 Dec 2020 09:31:14 +0100
From: holger krekel <holger@merlinux.eu>
To: Kai Engert <kaie@kuix.de>
Cc: openpgp@ietf.org
Message-ID: <20201211083114.GI184802@beta>
References: <48be3fcf-cdce-9ef4-655b-63b6dddf9310@kuix.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <48be3fcf-cdce-9ef4-655b-63b6dddf9310@kuix.de>
Autocrypt: addr=holger@merlinux.eu; prefer-encrypt=mutual; keydata= mQENBFHjpUYBCADtXtH0nIjMpuaWgOvcg6/bBJKhDW9mosTOYH1XaArGG2REhgTh8CyU27qPG+1NKO qm5VT4JWfG91TgvBQdx37ejiLxK9pkqkDMSSHCd5+6lPpgYOTueejToVHTRcHLp2fv7DOJ1s+G05TX T6gesTVvCyNXpGJN/RXbfF5XOBb4Q+5rp7t9ygjb9F97zkeT6YKAAtYqnZNUvamfmNK+vKFyhwhWJX 0Fb6qP3cvlxh4kXbeVdRjlf1Bg17OVcS1uUTI51W67x7vKgOWSUx1gpArq/YYg43o0kcnzj1mEUdjw gu7qAOwoq3b9tHefG971/3/zbPC6lpli7oUV7cfdmSZPABEBAAG0ImhvbGdlciBrcmVrZWwgPGhvbG dlckBtZXJsaW51eC5ldT6JATsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJR5XTc AhkBAAoJEI47A6J5t3LWGFYH/iG8e2Rn6D/Z5q7vAF00SCkRYzhDqVEx7bX/YazmfiUQImjBnbZZa5 zCQZSDYjAZdwNKBUpdG8Xlc+TI5qLBNEiapOPUYUaaJuG6GtaRF0E36yqvh//VDnCpeeurpn4EhyFB 2SeoMqNxVhv0gdzUi8jp9fHlWNvvYgeTU2y3+9EXGLgayoDPEoUSSF8AOSa3SkgzDnTWNTOVrHJ5UV j2mZTW6HBYPfnKmu/3aERlDH0pOYHBT1bzT6JRBvADZsEln8OM2ODyMjFNiUb7IHbpQb2JETFdMY54 E6gT7pCwleE/K3yovWsUdrJo6YruU2xdlCIWf3qfUQ5xcXUsTitOjky0H2hvbGdlciBrcmVrZWwgPG hwa0B0cmlsbGtlLm5ldD6JATgEEwECACIFAlHlXhICGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA AAoJEI47A6J5t3LWYKsIAOU6h2W9lQIKJVgRQMXRjk6vS6QIl3t0we/N9u52YBcE2iGYiyC9a5+VTv Z4OTDWV6gx8KYFnK6V5PYL6+CZJ/qfsImWwnb6Rp0nGulPjxEhiVjNakQryVZhcXKE8lhMhWYPRxUG gEb3VtOI7HUFVVnhLiakfr8ULe7b5O4EWiYPFxO+5kr44Xvxc3mHrKbfHGuJUxKlAiiQeoiCA/E2cD SMq3qEcrzE9UeW/1qn1pIxx/tGhMSSR7TKQkzTBUyEepY/wh1JHGXIsd7L0bmowG0YF+I5tG4FOZjj kzDPayR5zYyvu/A8L3ynP9lwloJCkyKGVQv9c/nCJCNgimgTiWe5AQ0EUeOlRgEIANjZCj/cBHinl1 8SLdY8VsruEEiFBTgOZn7lWOFcF4bSoJm6bzXckBgPp8yd77MEn7HsfMe9tJuriNvAVl8Ybxqum543 +KtJg1oZ9qv8RQ8OCXRjwNl7dxh41lKmyomFSKhyhmCxLkIwoh+XD2vTiD/w7j9QCtBzQ+UsHLWG4w XHkZ7SfOkVE8EVN/ygqOFeOVRmozckm7pv71JOYlVGO+Gk265ZO3hlstPJgWIbe28S46lDX4wmyJw7 tIuu7zeKTbINztMOUV79S7N2uNE5dt18EtlQb+k4l6JWvpZM+URiPGfLSgCi51njVkSELORW/OrMAJ JImPt7eY/7dtVL6ekAEQEAAYkBHwQYAQIACQUCUeOlRgIbDAAKCRCOOwOiebdy1pp6B/9mMHozAVOS oVhnj4QmlTGlRJxs6tHgTkJ47RlqmRRjYpY4G36rs21KPH++w5E8eLFpQwI6EZ+3yBiNQ7lpRhPmAo 8jP38zvvmT3a1WmvVIBbmwDcGpVvlE6kk3djiJ2jOPfvpwPG42A4trOyvuZtJ38nvzyyuwtg3OhHfX dhjEPzJDSJeUZuRgz+aE7+38edwFi3jwb8gOB3QhrrKo4fL1nMHrrgZK4+n8so5Np4OhX0RBkfy8Jj idxg9xawubYJDHcjc242Wl/gcAIUcnQZ4tEFOL55SCgih1LtlQLsrdnkJgnGI7VepNL1MwMXnAvfIb 1CvHBWNRmnPMaFMeSpgJ
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/1s0sXEpjCiD75PnBxkALd9CyAUk>
Subject: Re: [openpgp] Combining signature with signer's public key
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 08:31:22 -0000

Hi Kai, 

the reason several e-mail app implementors decided for a header 
in the discussions leading up to the Autocrypt spec in 2017
was precisely to not confuse users with weird attachments. related FAQ: 
https://autocrypt.org/faq.html#why-are-you-using-headers-rather-than-attached-keys 

What do you find problematic about it?  It's been used in several mail
apps (including Thunderbird/Enigmail up until TB78 in August 2020) and
did not cause any UX issues or complaints. I'd kindly ask you to consider
not inventing another method now without strong reason.

cheers,
holger



On Thu, Dec 10, 2020 at 22:38 +0100, Kai Engert wrote:
> Is it possible to include the sender's own public key as part of a detached
> OpenPGP signature?
> 
> When Thunderbird sends a signed email, it wants to include the sender's
> public key by default, to ensure that the recipient has it available.
> 
> Thunderbird sends the key as an attachment.
> 
> We received a surprisingly high number of complaints from users. who are
> unhappy about having attached the key by default. Apparently having the
> extra public key attachment causes confusion on the recipient side, with
> users not understanding what the attachment is about.
> 
> However, I haven't heard complaints about the signature attachment - which
> is shown by MUA that don't support OpenPGP. The signature attachment appears
> to be less of a problem or confusion.
> 
> If it were possible to include the sender's public key inside the signature,
> Thunderbird could use a single attachment for both.
> 
> Thanks,
> Kai
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email