David Shaw <dshaw(_at_)jabberwocky(_dot_)com> writes:
On Mon, Oct 31, 2005 at 11:11:56AM +0100, Simon Josefsson wrote:
Hi everyone! FYI:
I submitted an updated version of this document a few weeks ago. The
changes since -01 are small: A new "preference" field has been added,
to signal whether the sender wish that e-mail should be signed,
encrypted or both.
I have some concerns with this preference field. There is already a
way to specify this preference on the key itself
("preferred-email-encoding(_at_)pgp(_dot_)com").
That is not standardized though. I agree with Brian that I'd like to
see it standardized.
Once a user finds the key, they have an authoritative and
tamperproof statement about email preference. The OpenPGP header is
not tamperproof, and having the preference in there raises the
question what to do if the header preference doesn't match the
preference on the key.
I hope the OpenPGP document doesn't leave any questions as to what
should happen. The document says in several places that it is for
informational purposes, and that the information should not be
considered trust-worthy.
I see the OpenPGP header as a useful key finding aid. Once the key is
found, though, the header has served its purpose.
I recall some situations where this preference field might be useful.
I think it was another way to bootstrap OpenPGP communication.
Yes, how about this use-case: An announcement-only mailing list might
prefer OpenPGP signed messages. It could then add a 'OpenPGP:
preference=sign' message to all list posts. The sender could be the
mailing list address, which may not have a OpenPGP key at all. So you
couldn't fetch an OpenPGP key for the mailing list address. Arguable,
the mailing list managers could create a dummy OpenPGP key for the
mailing list address, and set the e-mail preference and upload the
key. However, so could anyone, since the key isn't used nor trusted
by anyone. The announcement-only mailing list could be some abstract
mail addresses too. Like submit(_at_)bugs(_dot_)debian(_dot_)org or similar.
I haven't thought this idea through, so it may be silly. However, I
recall convincing myself that the OpenPGP field may be useful in some
situations where a OpenPGP key preference field is less useful. These
two ideas doesn't have to be mutually exclusive. It is clear that the
tamper-proof preference should be preferred, if you trust that key,
but otherwise it doesn't matter.
Thanks,
Simon