Paul Wouters <[email protected]> writes: > On Thu, 28 Aug 2014, Simon Josefsson wrote: > >> I have updated a six (!) year old document describing the OpenPGP >> mail/news header field. As it encourages and promotes use of >> encrypted/signed email, I thought it would be relevant to this list. >> All feedback is appreciated, either directly to me or here. >> >> http://tools.ietf.org/html/draft-josefsson-openpgp-mailnews-header-07 > > I think it would be better to announce both keyid and fingerprint. > > Would it be better to use the longer keyid version?
Both key id and full fingerprint are permitted. > Should a warning be added to the Security Considerations about v3 keys > being vulnerable to forging of fingerprints? > See: https://github.com/coruus/cooperpair/tree/master/keysteak There is already the following text: Version 3 OpenPGP keys can be created with a chosen key id (aka "the 0xDEADBEEF attack"). Verifying the Key ID of a retrieved key against the one provided in the field is thus not sufficient to protect against a man-in-the-middle attack. Instead, the web-of-trust mechanism should be used. > It would be nice to support OPENPGPKEY DNS records in header as well? > > either: > > OpenPGP: dns:[email protected] > > or > > OpenPGP: > dns=ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca Should already be supported through RFC 4501, or am I missing something? OpenPGP: id=12345678; url=dns:ab16de0656382d91838914109ab89a0a4e04321550a1a20ace7a8b66._openpgpkey.nohats.ca?TYPE=OPENPGPKEY OpenPGP: id=12345678; url=dns:simon.josefsson.org?TYPE=CERT > Perhaps add a reference to: > > http://tools.ietf.org/html/draft-wouters-dane-openpgp Please propose some text to give the reference some context, and I'll consider it. :-) /Simon _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
