various suggestions and improvements (was: Re: Comment in cabot/README)

Joost van Baal joostvb-cabot-devel-20030805-2@mdcc.cx
Tue, 5 Aug 2003 22:40:44 +0200 

--Uaw16JuuybUwHkzF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Erich,

Tnx for your comments!

On Tue, Aug 05, 2003 at 04:36:19PM +0200, Erich Schubert wrote:
> The comment at the end of the README is flawed IMHO.

Lets quote it here, to get things clear:

>> # $Id: README,v 1.10 2003/08/03 20:31:28 joostvb Exp $
<snip>
>> SOME THOUGHTS
>>=20
>> Some tools sent a key, signed on just one uid, to this uid, in an
>> encrypted message.  These tools do not sent a challenge.  These tools
>> make sure only _this_ uid is signed, and therefore have to clear the
>> keyring after each signing.
>>=20
>> For both the cabot way, and this way, there are arguments:
>>=20
>> Suppose we're signing a key with 7 uid's on it, with a typical user, who
>> does request key upload.  The cabot way: 8 emails are sent to the owner.
>> The owner has to decrypt 7 messages, and reply 7 times.  The other way:
>> 7 emails are sent to the owner.  The owner has to decrypt 7 messages,
>> and upload 7 times.

> I don't upload every single signed UID i recieve.
> When someone signes multiple UIDs i usually recieve the signatures in a
> batch. Then i have multiple mails in the folder. I certainly will read
> them all first, thus import all my signed UIDs, then i will switch to
> a terminal and upload my keys (my email client can easily decrypt, and
> easily pipe the key to gpg --import, but uploading is something that is
> easier to do outside the mail client!). That makes 7 decrypts and 1
> upload in the example.

OK, README adjusted.  Tnx.

> IMHO cabot should require the replies to be *signed*, not only
> decrypted. That would increase security (and allow the verification of
> sign-only keys.)

Can sign-only keys be used for decryption?

> It would be nice if cabot would only send the own signatures to the
> recipient to keep the mail size low. My key with all its signatures
> is > 50k by now...

Added to TODO.

> When writing such code, please do always develop so that a signer may
> have multiple keys he uses for signing the uids.

Is this currently unsupported in cabot?

Bye,

Joost



--Uaw16JuuybUwHkzF
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/MBZMBgac8paUV/ARAiIFAJ42PwvgKITW7HY9vs6HMT68yjXbxQCfXR69
1pbhJ6cZIRdVDiRfn3xi1XA=
=YzaM
-----END PGP SIGNATURE-----

--Uaw16JuuybUwHkzF--