potential IETF WG incompatibility with GnuPG 2.3

Neal H. Walfield neal at walfield.org
Tue Dec 13 12:33:35 CET 2022


On Tue, 13 Dec 2022 10:07:07 +0100,
Neal H. Walfield wrote:
> 
> On Tue, 13 Dec 2022 09:35:22 +0100,
> Bernhard Reiter wrote:
> > (Same as you did when you have decided to made keys.openpgp.org incompatible 
> > to the existing OpenPGP standard, by not adding the necessary signature, see 
> > https://dev.gnupg.org/T4393 and blame it as defect on your page
> > https://keys.openpgp.org/about/faq)
> 
> I think you are misreading the standard here.  My reading of 4880 is
> the grammar for certificates explicitly says that self signatures on
> User ID packets are optional:
> 
>   - One or more User ID packets
> 
>   - After each User ID packet, zero or more Signature packets
>     (certifications)
> 
>   ...
> 
>   Immediately following each User ID packet, there are zero or more
>   Signature packets.
> 
>   https://www.rfc-editor.org/rfc/rfc4880#section-11.1
> 
> So, I think gpg's behavior diverges from the standard here.
> 
> Can you point me to the text in 4880 that supports your view that User
> IDs must have self signatures?

It was pointed out to me privately that there are actually two issues:

  1. User ID-less certificates (out of spec)
  2. User IDs without self signatures (in spec)

4880 allows User IDs without self signatures (2), but it does require
that a certificate include at least one User ID, which needn't have a
self-signature.

koo is out of spec, because it delivers certificates without User IDs
(1).  It come into spec by inserting a null User ID without a self
signature (2).  As I understand it, gpg would treat that (2) the same
way as it treats a certificate without any User IDs (1).

Neal



More information about the Gnupg-devel mailing list