[ANNOUNCE] c-ares.org downloads and website updates

Nikolaos Chatzikonstantinou nchatz314 at gmail.com
Fri Jun 7 04:16:29 CEST 2024


On Thu, Jun 6, 2024 at 10:14 PM Nikolaos Chatzikonstantinou
<nchatz314 at gmail.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Thu, Jun 6, 2024 at 6:38 PM Brad House via c-ares
> <c-ares at lists.haxx.se> wrote:
> >
> > On 6/6/24 6:11 PM, Nikolaos Chatzikonstantinou via c-ares wrote:
> >
> > >
> > > Hello, congrats on the update. I don't mean to be annoying but the
> > > introduction of a new key should be in an email signed by the old key.
> > > The download page could clarify also which versions are expected to be
> > > signed by either key and which are only by Daniel, e.g. from >=1.30
> > > both keys are valid. This is probably in the changelog or NEWS file
> > > (if not please add) but I didn't check.
> > >
> > I'm pretty sure the mailing list updates too many aspects of the message
> > for a signed email to properly pass through and be able to be
> > validated.  Maybe I'm wrong here.  If I'm right though, what other way
> > could we "prove" my key is allowed to be used?
>
> If the MTA mangles PGP/MIME there's
> <https://datatracker.ietf.org/doc/draft-dkg-openpgp-pgpmime-message-mangling/>
> for some ways to deal with a mangled message. You don't have to use
> PGP/MIME, Daniel can just enclose his message in an inline signature
> with `gpg --clearsign`. I've sent this e-mail signed, as an example.
> My fingerprint is ED32 5C3D 9DFE 5B0A BECE  4021 719B 12FD F9F9 6069,
> but you should have my fingerprint (or public key) transmitted to you
> out-of-band (meaning, with a different method) because it is trivial
> for someone to take this e-mail, strip the signature, modify the
> fingerprint, and then re-sign it. If Daniel sends an e-mail, he
> doesn't have to worry about this, anyone who really cares can go
> through the pain of obtaining his key out-of-band through a secure
> channel (if they don't already have it), but what matters is that
> Daniel verifies you to be authorized as a signer for c-ares, and those
> who trust Daniel can now trust you too.
>
> > I did briefly discuss with Daniel about him signing my key with his as a
> > way to indicate some level of trust in my key, since we're across the
> > ocean from eachother we'd need to do ID verification via a video chat.
> > We just haven't gotten around to that yet, would that "suffice"?
>
> Signing keys does not tell you anything, you need to have the context
> too (the context explains what the key is), which also needs to be
> signed. (Confusingly in PGP there's the web of trust where users sign
> keys together with an indicated level of trust.)
>
> Regards,
> Nikolaos Chatzikonstantinou
> -----BEGIN PGP SIGNATURE-----
>
> iHUEARYKAB0WIQT+qiF+WQ7fQkkAb/UJFDAFinzxjQUCZmJs3AAKCRAJFDAFinzx
> jch0AP4gzqFCfgck6fBcpiLOnxYK7GdQHX1GXsND3j+nWMAHDQD+Lh7VM+5ONg9c
> dOga1QWYPR4fWYp6WisLFRtrDqIxWgE=
> =gDSN
> -----END PGP SIGNATURE-----

Nice! As soon as I tried to demonstrate it, both the signature and the
contents were mangled by gmail. Well, you know what, just attach a
signature file with `gpg --sign --detach`. Sigh, how comedic.

Regards,
Nikolaos Chatzikonstantinou


More information about the c-ares mailing list