<<< Date Index >>>     <<< Thread Index >>>

Re: Thoughts on an OpenPGP header?



On 2004-12-03 18:16:03 +0100, Simon Josefsson wrote:
> Hi.  We are preparing a document that aims to merge all X-PGP,
> X-PGP-Fingerprint etc headers into one well defined header, for use in
> mail and news.  The document is available from:
> 
> http://josefsson.org/openpgp-header/
> 
> I'm writing to see if there is any interest in supporting this in
> Mutt.  General thoughts on the concept or the document would be
> appreciated, too, of course.

[First off, I am not a mutt developer, just a user (who submits a patch
every few years :-)]

While I won't debate that some users are adding such a header, I fail to
see the need for it.

Either a mail is PGP-signed, or it isn't.

If it is signed, it already contains the key id, algorithm, etc., so
this doesn't have to be added to the header. There is also already an
infrastructure for looking up keys, so including an URL where the key
can be obtained seems to be mostly pointless to me - why not just upload
the key to a keyserver? 

If the mail is not signed, including information about a key which may
or may not be used on other mails seems to be of rather dubious value.

So I can see only two scenarios where such a header would be useful:

1) You want to sign your messages and provide an URL where your key 
   can be found to the recipients only, but you don't want your key on a
   keyserver, where everybody could download it and e.g. check its
   position in the web of trust.

2) You don't want to sign you messages for some reason but still want to
    convey the information that you can use PGP if you need to.

Oh, well - since implementing support for such a header is trivial,
these two scenarios might suffice.

> Like Gnus, I suppose Mutt is configurable, so that users can add the
> OpenPGP header manually,

Yes.

> but one thing that could be implemented is this: when the user click
> on a URL in the OpenPGP: header, the URL could be retrieved, and 'gpg
> --import' is invoked on it.

Mutt can already do this if the mail is signed (it will import the key
from a keyserver). You can't "click" on anything in mutt, but sending
the message through a filter to look for an OpenPGP header and import
the key from the included URL would be simple (a few lines of perl or
your favorite scripting language).

> Another is a "Secure reply" button, that uses the Key ID information
> in the header, to make a signed/encrypted reply to a message.

The way mutt chooses the key(s) to encrypt a message with could surely
be improved (in mutt 1.4.x at least, I don't know the current status in
1.5.x). Taking the key id from the OpenPGP header might be a good idea.

        hp

-- 
   _  | Peter J. Holzer      | If the code is old but the problem is new
|_|_) | Sysadmin WSR / LUGA  | then the code probably isn't the problem.
| |   | hjp@xxxxxxxxx        |
__/   | http://www.hjp.at/   |     -- Tim Bunce on dbi-users, 2004-11-05

Attachment: pgp2zREbXKmqC.pgp
Description: PGP signature