Hi, Le mercredi 9 novembre 2022, 14:16:50 CET Paul Schaub a écrit :
> Some more feedback: Some more replies > In "Signing a Pubsub Item With OpenPGP", you state that "Signing an item > with OpenPGP requires to have XEP-0373: OpenPGP for XMPP implemented to > handle keys, [...]". I would argue, that - although useful - XEP-0373 is > not strictly required as certificate distribution can also be done in > other ways, so I would personally remove this statement. Of course, this > may change once you describe the process of validating a signed item in > more detail (especially the process of discovering the certificate via > XEP-0373). I need to think about that, that's True that XEP-0373 should not be absolutely necessary. > It probably also makes sense to pin some of the signature parameters of > RFC4880 to fixed values, such as the Signature Type > (https://datatracker.ietf.org/doc/html/rfc4880#section-5.2.1). > I would suggest 0x00; Binary Document. Perhaps though, this should go > into XEP-0373 instead? Not sure about that, I guess this need discussion between people involved. For now the philosophy in our implementation is to let the library used (GPGME for now, we would like to use also Sequoia PGP at some point) make the decision. > Otherwise, for sake of completeness I would like to see a section on > signature verification, not sure if that is required to be able to > create an implementation :) For the record, I have already made an implementation in Libervia (along with OpenPGP for XMPP Pubsub, and Pubsub Target Encryption). Normally the current specification are complete enough. Goffi _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
