?

Log in

No account? Create an account
entries friends calendar profile My Website Previous Previous Next Next
X-PGP-Sig header, and thoughts on key agent daemons - Mark Atwood
fallenpegasus
fallenpegasus
X-PGP-Sig header, and thoughts on key agent daemons
So yesterday I tweaked my emacs and gnus configuration so that it generates an X-PGP-Sig header on outgoing messages. Now all my outgoing emails and netnews posts are unobtrusively signed. (My GPG key is here on the keyserver networks.)

In the process of doing that, I also ended up finally reading the docs for gpg-agent and ssh-agent. They are pretty neat, but I'm annoyed by a couple of crying lacks.

  • The developers of gpg-agent and ssh-agent ought to get together and converge on a common protocol, or even better, just merge and unify the tool. And hook up with the OpenSSL people.
  • The ssh-agent and the gpg-agent ought to work hand in hand with the Gnome keyring and with the KDE keyring.
  • ssh and gpg should demand load keys into their agents. That is, instead of having to run ssh-add or gpg-agent-add prior to using the keys, whenever ssh or gpg decrypt and use a local private key, they ought to then just load it into the agent for next time.
  • There is a pam_ssh module, but not an equivalent pam_gpg module.

Tags: , , , , , ,
Current Location: Home, Capitol Hill, Seattle WA

2 comments or Leave a comment
Comments
dossy From: dossy Date: October 14th, 2007 10:17 pm (UTC) (Link)
Unobtrusively signed? Do you just treat the entire payload as data which gets signed? Otherwise, without start/end markers (which is always a great joy for multipart-MIME messages) how will a PGP/GPG consumer know exactly which bytes have been signed?
fallenpegasus From: fallenpegasus Date: October 15th, 2007 12:25 am (UTC) (Link)
The X-Pgp-Sig definition is over ten years old, it dates back to tale@uunet working out how to sign USENET control messages.

Basically it canonicalizes the message body, and then makes a canonical header set, puts them together, runs it thru PGP, then builds a header line that contains some version info, a list of the signed headers, and then the sig.

It breaks if something rewrites the message body, but it's hard to call that a bug.

2 comments or Leave a comment