ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Embedded TPK subpacket

2019-03-25 07:26:08

My proposal is ment to obsolete the existing mechanisms.  The fact that
we now have multiple incompatible mechanisms is a bit sad, and I'm
trying to extend OpenPGP so that we can have interoperable
implementations again.

So what your proposal brings to the table is in-band key distribution without
MUA involvement, but hinges on the use of signed-only mails. Given the rather
terrible state of signed-only messages, which is likely what caused both
Autocrypt and PEP to omit support for them, I'm sceptical of this approach's
potential to do much for the unification of key distribution mechanisms.

Some more context: I chose to actively discourage signed-only mails in K-9 Mail,
due to 1) the friction they cause with recipients ("your mail contained a weird
attachment, is this a virus?"), and 2) limited usefulness in practice due to
brittle reliability and non-existent network effect.

That said, I can definitely see how self-contained signatures could be useful to
have for this and other purposes!

For example, if you look at Autocrypt, implementing it means that the MUA
needs to do a lot of low-level key manipulations.

Can you elaborate on this? We designed Autocrypt to be as agnostic of OpenPGP
implementation details as possible, especially for public key management it can
get away with treating keys as opaque bytes blobs. IINM the required API from an
OpenPGP implementation should be complete with just "get minimal own public
key", "check TPK integrity", and "encrypt to keys (given as blobs)". In practice
OpenPGP support in MUAs tends to be more involved than that, but I don't think
there is an actual "need" for that.

 - V

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>