IETF Logo Mail Archive

Re: [openpgp] Combining signature with signer's public key

Kai Engert <kaie@kuix.de> Fri, 11 December 2020 09:43 UTC

Return-Path: <kaie@kuix.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0074F3A0844 for <openpgp@ietfa.amsl.com>; Fri, 11 Dec 2020 01:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kuix.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SqJKZNpSQ2fY for <openpgp@ietfa.amsl.com>; Fri, 11 Dec 2020 01:43:15 -0800 (PST)
Received: from cloud.kuix.de (cloud.kuix.de [93.90.207.85]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D63B03A083E for <openpgp@ietf.org>; Fri, 11 Dec 2020 01:43:14 -0800 (PST)
Received: from [10.137.0.17] (ip-95-223-75-128.hsi16.unitymediagroup.de [95.223.75.128]) by cloud.kuix.de (Postfix) with ESMTPSA id DD29418D050; Fri, 11 Dec 2020 09:43:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kuix.de; s=2018; t=1607679791; bh=7+o/aAnX2lIq5q2LPbkS4bmjCLqi0dVY72dK8bz4zAk=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=Q5SkH4rFQmfvgu+bcmdQLRAMTrajBF5639l4+EUAUqRG3rel99fHBGqZmCjM4TLiZ brguIQaVW4krRWefJ+kWgWwcVmOlQdE47nWNWUOnvLFaFs0asQyiLtqD1gv+Z6UJNT emlah6/O/XnpU9AJmG+GvONGDAuGtsLd1AXJj4pnuGbeTz5GV/E+Q34phDFMDZRWZN 3OGyZs8PYLYr7dlskNmqE+OfSbXfZ+C96ToF2TBOxO6xs2dbxxaZLj2NJ5/IqeHa7a Wj0gBQgr2uPyADWGC+ITCWZFI9owJmAFV5V4ZJbc6Z9r4QIWfuB5hom7bFxd6AGoSK Uwd+VO2EiO8zQ==
To: holger krekel <holger@merlinux.eu>
Cc: openpgp@ietf.org
References: <48be3fcf-cdce-9ef4-655b-63b6dddf9310@kuix.de> <20201211083114.GI184802@beta>
From: Kai Engert <kaie@kuix.de>
Message-ID: <91e4784a-3238-6c50-fa10-e09835fc6587@kuix.de>
Date: Fri, 11 Dec 2020 10:43:11 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Thunderbird/78.5.1
MIME-Version: 1.0
In-Reply-To: <20201211083114.GI184802@beta>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/HJYJlch5gkaWlr_6-aeDlFJWX1U>
Subject: Re: [openpgp] Combining signature with signer's public key
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 09:43:17 -0000

On 11.12.20 09:31, holger krekel wrote:
> the reason several e-mail app implementors decided for a header
> in the discussions leading up to the Autocrypt spec in 2017
> was precisely to not confuse users with weird attachments. related FAQ:
> https://autocrypt.org/faq.html#why-are-you-using-headers-rather-than-attached-keys
> 
> What do you find problematic about it?  It's been used in several mail
> apps (including Thunderbird/Enigmail up until TB78 in August 2020) and
> did not cause any UX issues or complaints. I'd kindly ask you to consider
> not inventing another method now without strong reason.

The amount of data that can be transported in an email header is limited.

For the simple keys that can be generated inside Thunderbird (primary 
key, single subkey for encryption, single used ID), using the Autocrypt 
header could work.

However:

- we also allow users to use their complex keys with Thunderbird,
   which may contain multiple user IDs, and contain many certifications,
   causing the key to be very big
   The Autocrypt header seems like an incomplete key distribution
   mechanism for complex keys.

- what Thunderbird sends in PGP/MIME's application/gpg-keys
   attachment isn't limited to the sender's public key.
   It will also include revocation statements,
   for revoked keys matching the sender's email address.

Kai

v2.15.0 | Report a Bug | By Email