Hi :)
"Jose-Luis Rivas" <ghostbar@debian.org> writes:
> On Wed Jul 24, 2024 at 10:12 AM -03, Justus Winter wrote:
>>
>> If you use GnuPG 2.4.x or newer, you risk creating a non-compliant key,
>> i.e. not an OpenPGP key, but a GnuPG key.
>>
>
> Hi Justus,
>
> Is there any place where there's more information on these differences?
> I tried googling and I can't find something different than "GnuPG is a
> software implementation of the OpenPGP protocol" nor way to
> differentiate keys that may be non-compliant. pgpdump shows keys created
> with <2.4.x and >=2.4.x as ver 4, and that's it.
GnuPG no longer tracks OpenPGP, but something they call LibrePGP. If
you look closely at a certificate created from it, you can see some
troubling divergences already. For example, this is from one created by
GnuPG 2.4.4:
Public-Key Packet, old CTB, 51 bytes
Version: 4
Creation time: 2024-07-11 15:32:07 UTC
Pk algo: EdDSA
Pk size: 256 bits
Fingerprint: 6E4BF25E02FA23B447A68367C0D934AB2CE1FDCB
KeyID: C0D934AB2CE1FDCB
User ID Packet, old CTB, 26 bytes
Value: Bernadette <b@example.org>
Signature Packet, old CTB, 153 bytes
Version: 4
Type: PositiveCertification
Pk algo: EdDSA
Hash algo: SHA512
Hashed area:
Issuer Fingerprint: 6E4BF25E02FA23B447A68367C0D934AB2CE1FDCB
Signature creation time: 2024-07-11 15:32:07 UTC
Key flags: CS
Key expiration time: P1095D
Symmetric algo preferences: AES256, AES192, AES128, TripleDES
AEAD preferences (deprecated): OCB
Hash preferences: SHA512, SHA384, SHA256, SHA224, SHA1
Compression preferences: Zlib, BZip2, Zip
Features: SEIPDv1, AEAD, #2
Keyserver preferences: no modify
Unhashed area:
Issuer: C0D934AB2CE1FDCB
Digest prefix: 3ABF
Level: 0 (signature over data)
Public-Subkey Packet, old CTB, 56 bytes
Version: 4
Creation time: 2024-07-11 15:32:07 UTC
Pk algo: ECDH
Pk size: 256 bits
Fingerprint: D698DFADDCC3EE4C31E503A17F6792FAA34132A8
KeyID: 7F6792FAA34132A8
Signature Packet, old CTB, 120 bytes
Version: 4
Type: SubkeyBinding
Pk algo: EdDSA
Hash algo: SHA512
Hashed area:
Issuer Fingerprint: 6E4BF25E02FA23B447A68367C0D934AB2CE1FDCB
Signature creation time: 2024-07-11 15:32:07 UTC
Key flags: EtEr
Unhashed area:
Issuer: C0D934AB2CE1FDCB
Digest prefix: 654B
Level: 0 (signature over data)
Notably,
AEAD preferences (deprecated): OCB
Features: SEIPDv1, AEAD, #2
will invite your peers also running GnuPG 2.4.x or above to send
messages encrypted with their idea of AEAD. These messages will not be
OpenPGP compliant, and they will not, in general, decrypt with OpenPGP
implementations. There is another flag set in the preferences, and our
decoder doesn't even know what that should mean, but I'm pretty sure it
is not good to advertise that if you are interested in getting
OpenPGP-compliant messages.
It is true that technically, this certificate is OpenPGP compliant, but
the messages you will receive when advertising these features may not
be. And, there is no guarantee that future versions will generate
technically compliant certificates.
Best,
Justus
Attachment:
signature.asc
Description: PGP signature