(I'm not an expert if this is the correct time for this - I hope so. :)
Currently, Section 6.2 sais:
Currently defined Armor Header Keys are as follows:
"Version", which states the OpenPGP implementation and version used to
encode the message.
I propose to add this sentence:
To minimize metadata, implementations SHOULD NOT emit this key and its
corresponding value except for debugging purposes with explicit user
We discussed this on gnupg-devel in 2016 and here in 2019. Then, dkg
The version of GnuPG in use is not particularly helpful. It is not
cryptographically verifiable, and it doesn't distinguish between
significant version differences like 2.0.x and 2.1.x.
Additionally, it leaks metadata that can be used to distinguish users
from one another, and can potentially be used to target specific
attacks if there are known behaviors that differ between major
It's probably better to take the more parsimonious approach to
metadata production by default.
See this example for a real-world attack:
This is rough consensus and running code in all implementations I can
If this gets adopted, we should probably remove it from this example:
Thanks, and keep up the good work!
If you upload your address book to "the cloud", I don't want to be in it.
openpgp mailing list