my gpg key does not conform to rfc4880?

David Shaw dshaw at jabberwocky.com
Thu Oct 10 20:10:37 CEST 2013


On Oct 10, 2013, at 1:45 PM, "Brian J. Murrell" <brian at interlinx.bc.ca> wrote:

> I was told by a developer of a piece of software that my key does not
> conform to rfc4800.  He said:
> 
>  According to http://tools.ietf.org/html/rfc4880#section-5.2.2
>  signatures of version 3 don't have subpackets, which are only
>  available in version 4.
> 
>  Looks like your key from 1998 is not compliant to RFC4880.
> 
> Do I have any recourse other than to generate a new key?

Probably, but without seeing the key it is hard to be completely sure.  Most likely, you could just strip the poison signature from your key and keep using it.  If it's a self-signature, you'll have to make another one.  If it's a signature from someone else, you can either disregard it, or ask them to re-sign your key.

Can you say what the software that rejected your key is?  If you think about it, rejecting a key because of a bad signature could lead to an denial of service attack - just upload a signature that is noncompliant enough to cause the key to be rejected, but compliant enough to make it onto a keyserver.  Is your key with the bad signature on a keyserver?

David




More information about the Gnupg-users mailing list