Re: PATCH: Less fragile lookup of gpg key

[Grant Olson <kgo@grant-olson.net>]

[-- Attachment #1: Type: text/plain, Size: 3502 bytes --]

On 5/2/2010 8:59 PM, Greg A. Woods wrote:
> At Sat, 01 May 2010 12:54:24 -0700, Junio C Hamano <gitster@pobox.com> wrote:
> Subject: Re: PATCH:  Less fragile lookup of gpg key
>>
>> If I have two keys like these:
>>
>>     Junio C Hamano <gitster@pobox.com>
>>     Junio Hamano <gitster@pobox.com>
> 
> I'm not an expert on PGP internals or such, but I think that's a really
> bad thing to do.  I'm surprised you were able to get gpg to do it in the
> first place.  I would have hoped it wouldn't allow it.  As far as I can
> tell it's _not_ compatible with other implementations of PGP.
> 
> PGP keys normally are searched by the e-mail portion only.  All the
> other stuff (comments and the display name, etc.) is for decoration
> only.  This is just as it is in e-mail routing too of course.
> 
> You can of course have more than one e-mail address per key, but you
> should NEVER have more than one key per e-mail.
> 
> I.e. it's less reliable in the first place to have two different keys
> which can be found using the same e-mail address.
> 

This might be getting a little off-topic for the git list, but...

It's a weird thing to do, which is why I didn't account for it in the
original patch, but the RFC doesn't have any specific requirements
regarding what a UID is:

5.11. User ID Packet (Tag 13)

   A User ID packet consists of UTF-8 text that is intended to represent
   the name and email address of the key holder.  By convention, it
   includes an RFC 2822 [RFC2822] mail name-addr, but there are no
   restrictions on its content.  The packet length in the header
   specifies the length of the User ID.

Ultimately the key ID is the unique identifier, so there's nothing
technically wrong with creating multiple keys with the same email.  It
will cause some email clients to flip out, but that's a non-issue with
git tags.

But if someone is a regular user of OpenPGP, and they get two signatures
from the same email address with different keys, the assumption is going
to be that at least one of them is a forgery.  Maybe the keys are
cross-signed if, for example, someone is phasing out an old 1024-bit key
with a new 2048-bit one.  But that's still going to raise a few
eyebrows.  And even in that case, you still probably want to sign
everything with the same key.

If you look at any day-to-day usage of gpg, or examples posted around,
they're almost always going to just pass an email address only with the
-u flag, if they use the -u flag at all.  I don't think you're going to
find any examples or tutorials that suggest you type:

gpg -u "Junio Hamano <gitster@pobox.com>" --armor --sign file.txt

they'll all use:

gpg -u gitster@pobox.com --armor --sign file.txt

And normally a user wouldn't even use the -u flag to begin with.  They
would just go with the default secret key on your keyring.  But that
might have a different email address than your git settings, so it does
make sense to use -u within git.

I personally think that using multiple keys with the same UID falls into
the 'advanced user' category, where you can expect the advanced user to
figure out how to deal with the exceptional usage, and have the defaults
set out to cover the general case.

But all that being said, I don't have a problem with the proposed
solution of falling back to a straight email search after the username +
email search fails.

-- 
Grant

"Can you construct some sort of rudimentary lathe?"


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 552 bytes --]