ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Combining signature with signer's public key

2020-12-11 02:30:31
from [Werner Koch] [Permanent Link] 
On Fri, 11 Dec 2020 08:21, Wiktor Kwapisiewicz said:


You may be interested in the Key Block signature subpacket as detailed
in here:


Right.  GnuPG introduced this for better user experience with mail
providers who won't deploy a Web Key Directory and, more important, to
ease handling of signed file conveyed using non-mail systems.


Do note that as to my knowledge nothing supports it yet (happy to be
corrected).


GnuPG supports this since 2.2.20 (released 2020-03-20)

  * gpg: New options --include-key-block and --auto-key-import to
    allow encrypted replies after an initial signed message.  [#4856]

--include-key-block
--no-include-key-block

    This option is used to embed the actual signing key into a data
    signature.  The embedded key is stripped down to a single user id
    and includes only the signing subkey used to create the signature
    as well as as valid encryption subkeys.  All other info is removed
    from the key to keep it and thus the signature small.  This option
    is the OpenPGP counterpart to the gpgsm option --include-certs and
    allows the recipient of a signed message to reply encrypted to the
    sender without using any online directories to lookup the key.  The
    default is --no-include-key-block.  See also the option
    --auto-key-import.

--auto-key-import
--no-auto-key-import

    This is an offline mechanism to get a missing key for signature
    verification and for later encryption to this key.  If this option
    is enabled and a signature includes an embedded key, that key is
    used to verify the signature and on verification success the key is
    imported. The default is --no-auto-key-import.

    On the sender (signing) site the option --include-key-block needs to
    be used to put the public part of the signing key as “Key Block
    subpacket” into the signature.

The include-key-block option should only be enabled if required.  MUAs
can decide whether this makes sense; GPGME supports this using
gpgme_set_ctx_flag (flags "include-key-block" and "auto-key-import").


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Combining signature with signer's public key, Wiktor Kwapisiewicz
Next by Date:  Re: [openpgp] Combining signature with signer's public key, holger krekel
Previous by Thread:  Re: [openpgp] Combining signature with signer's public key, Wiktor Kwapisiewicz
Next by Thread:  Re: [openpgp] Combining signature with signer's public key, Neal H. Walfield
Indexes:  [Date] [Thread] [Top] [All Lists]