[ANNOUNCE] c-ares.org downloads and website updates
Nikolaos Chatzikonstantinou
nchatz314 at gmail.com
Fri Jun 7 04:14:02 CEST 2024
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Thu, Jun 6, 2024 at 6:38 PM Brad House via c-ares
<c-ares at lists.haxx.se> wrote:
>
> On 6/6/24 6:11 PM, Nikolaos Chatzikonstantinou via c-ares wrote:
>
> >
> > Hello, congrats on the update. I don't mean to be annoying but the
> > introduction of a new key should be in an email signed by the old key.
> > The download page could clarify also which versions are expected to be
> > signed by either key and which are only by Daniel, e.g. from >=1.30
> > both keys are valid. This is probably in the changelog or NEWS file
> > (if not please add) but I didn't check.
> >
> I'm pretty sure the mailing list updates too many aspects of the message
> for a signed email to properly pass through and be able to be
> validated. Maybe I'm wrong here. If I'm right though, what other way
> could we "prove" my key is allowed to be used?
If the MTA mangles PGP/MIME there's
<https://datatracker.ietf.org/doc/draft-dkg-openpgp-pgpmime-message-mangling/>
for some ways to deal with a mangled message. You don't have to use
PGP/MIME, Daniel can just enclose his message in an inline signature
with `gpg --clearsign`. I've sent this e-mail signed, as an example.
My fingerprint is ED32 5C3D 9DFE 5B0A BECE 4021 719B 12FD F9F9 6069,
but you should have my fingerprint (or public key) transmitted to you
out-of-band (meaning, with a different method) because it is trivial
for someone to take this e-mail, strip the signature, modify the
fingerprint, and then re-sign it. If Daniel sends an e-mail, he
doesn't have to worry about this, anyone who really cares can go
through the pain of obtaining his key out-of-band through a secure
channel (if they don't already have it), but what matters is that
Daniel verifies you to be authorized as a signer for c-ares, and those
who trust Daniel can now trust you too.
> I did briefly discuss with Daniel about him signing my key with his as a
> way to indicate some level of trust in my key, since we're across the
> ocean from eachother we'd need to do ID verification via a video chat.
> We just haven't gotten around to that yet, would that "suffice"?
Signing keys does not tell you anything, you need to have the context
too (the context explains what the key is), which also needs to be
signed. (Confusingly in PGP there's the web of trust where users sign
keys together with an indicated level of trust.)
Regards,
Nikolaos Chatzikonstantinou
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQT+qiF+WQ7fQkkAb/UJFDAFinzxjQUCZmJs3AAKCRAJFDAFinzx
jch0AP4gzqFCfgck6fBcpiLOnxYK7GdQHX1GXsND3j+nWMAHDQD+Lh7VM+5ONg9c
dOga1QWYPR4fWYp6WisLFRtrDqIxWgE=
=gDSN
-----END PGP SIGNATURE-----
More information about the c-ares
mailing list