potential IETF WG incompatibility with GnuPG 2.3
Neal H. Walfield
neal at walfield.org
Tue Dec 13 12:33:35 CET 2022
On Tue, 13 Dec 2022 10:07:07 +0100,
Neal H. Walfield wrote:
>
> On Tue, 13 Dec 2022 09:35:22 +0100,
> Bernhard Reiter wrote:
> > (Same as you did when you have decided to made keys.openpgp.org incompatible
> > to the existing OpenPGP standard, by not adding the necessary signature, see
> > https://dev.gnupg.org/T4393 and blame it as defect on your page
> > https://keys.openpgp.org/about/faq)
>
> I think you are misreading the standard here. My reading of 4880 is
> the grammar for certificates explicitly says that self signatures on
> User ID packets are optional:
>
> - One or more User ID packets
>
> - After each User ID packet, zero or more Signature packets
> (certifications)
>
> ...
>
> Immediately following each User ID packet, there are zero or more
> Signature packets.
>
> https://www.rfc-editor.org/rfc/rfc4880#section-11.1
>
> So, I think gpg's behavior diverges from the standard here.
>
> Can you point me to the text in 4880 that supports your view that User
> IDs must have self signatures?
It was pointed out to me privately that there are actually two issues:
1. User ID-less certificates (out of spec)
2. User IDs without self signatures (in spec)
4880 allows User IDs without self signatures (2), but it does require
that a certificate include at least one User ID, which needn't have a
self-signature.
koo is out of spec, because it delivers certificates without User IDs
(1). It come into spec by inserting a null User ID without a self
signature (2). As I understand it, gpg would treat that (2) the same
way as it treats a certificate without any User IDs (1).
Neal
More information about the Gnupg-devel
mailing list