[pkg-gnupg-maint] gnupg2-revert-rfc4880bis.patch

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Mar 29 19:47:37 GMT 2024


Thanks for reviving this discussion, Andreas--

On Fri 2024-03-29 15:55:27 +0100, Andreas Metzler wrote:
> 1 Should we patch gpg 2.4 to avoid setting a preference for receiving
> AEAD/OCB on generated keys. ("b" in Daniel's
> 87edd6u3qa.fsf at fifthhorseman.net)
> 2 Should we patch gnupg >= 2.2.40 and 2.4 to ignore the setting for
> AEAD/OCB preference when encrypting messages.  ("c")
>
> I would tend to say yes to 1 and no to 2.

I agree with you about (1): we should patch to avoid generating OpenPGP
certificates that advertise support for receiving draft-koch-style
AEAD/OCB packets.

I think i disagree with you about (2): this behavior is precisely what
caused the failures with thunderbird recently.  The version of librnp
that thunderbird was using let users import a secret key/certificate
that had been generated with a version of GnuPG that included the
advertisement, and send mail with it, including the certificate.

Then someone responded using a tool (like the proposed GnuPG version)
which emitted packets, that Thunderbird then couldn't read.

Do we want the debian packages to play into that dynamic?

> I still do not what usecases break when with respect to "v5 wireformat",
> i.e. when gpg 2.4 generates it. e.g. "gpg-2.4 --detach-sign -a ..."
> (with a gpg 2.4 generated rsa key) generates a detached signature that
> can be verified with "sqop verify ".

This is a separate question from what you mentioned above, right?  Seems
like you're asking about v5 signatures here, but you're saying that the
proposed versions don't currently emit them by default.  that's a good
report to have!

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20240329/75cac06e/attachment.sig>


More information about the pkg-gnupg-maint mailing list