ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Combining signature with signer's public key

2020-12-10 19:02:16
On 2020-12-10 at 21:38:22, Kai Engert wrote:
Is it possible to include the sender's own public key as part of a detached
OpenPGP signature?

When Thunderbird sends a signed email, it wants to include the sender's
public key by default, to ensure that the recipient has it available.

Thunderbird sends the key as an attachment.

We received a surprisingly high number of complaints from users. who are
unhappy about having attached the key by default. Apparently having the
extra public key attachment causes confusion on the recipient side, with
users not understanding what the attachment is about.

Yes, adding an attachment that the sender did not explicitly request is
not a good idea.  I would find this undesirable, too.

However, I haven't heard complaints about the signature attachment - which
is shown by MUA that don't support OpenPGP. The signature attachment appears
to be less of a problem or confusion.

That's because (a) it's been around a long time and (b) that this is a
multipart/signed message, not an attachment.  An MUA that handles S/MIME
already knows how to handle this type because the same MIME type is used
for both (although the MIME type of the signature is different).  And
generally the signature doesn't have an attachment Content-Disposition.

Some MUAs do show it as an attachment and that does cause confusion.
I've had people ask me about it.

If it were possible to include the sender's public key inside the signature,
Thunderbird could use a single attachment for both.

I don't think RFC 4880 specifically permits this as part of an OpenPGP
message, but then again they don't specifically permit a detached
signature as an OpenPGP message (although it is described elsewhere).  I
suspect many implementations would in fact understand and parse a key
that was included in the same OpenPGP message as the signature, but
might or might not permit it to be imported.  RFC 3156 states that the
second body "MUST contain the OpenPGP digital signature," but doesn't
restrict it to that or specify things that it should not contain.

You could prototype it and try to see how other implementations (e.g.,
mutt) handle it.  I don't know how you'd get GnuPG to emit a combined
block, though.

There is also a specification called Autocrypt[0] (which I have not
looked at more than cursorily), which may be useful for your needs.

Finally, you could just assume that the user has access to a suitable
keyserver, like many people do, and skip sending the key altogether.
This is what mutt does.

[0] https://autocrypt.org/level1.html
-- 
brian m. carlson (he/him or they/them)
Houston, Texas, US

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp