Neal H. Walfield

icon indicating a website link https://sequoia-pgp.org

icon location I work on @Sequoia-PGP. We work to improve the usability of OpenPGP specifically & cryptographic tools more generally

Results 86 comments of Neal H. Walfield
trafficstars

PGP key identifiers use binding signature's creation time, not certificate creation time

> @nwalfield @pmatilai Is the purpose of the existing behavior to make updating a key look like upgrading a package? Good question. I don't know.

PGP key identifiers use binding signature's creation time, not certificate creation time

> It needs to get a new release when the key us updated, otherwise the rpm --import will just do nothing. That is at best a heuristic. Even if you...

PGP key identifiers use binding signature's creation time, not certificate creation time

> My proposal is to add a "pgpDigParamsModificationTime()" that returns the maximum of all self-signature creation time (they can all be verified). That's pretty much what the old code should...

PGP key identifiers use binding signature's creation time, not certificate creation time

> I know that. It does not need to be 100% correct (it obviously can't). The use case is to have a different release when the expire time of a...

PGP key identifiers use binding signature's creation time, not certificate creation time

I was responding to your stated convictions, e.g., "you should certainly not ask a keyserver for keys." My impression is that you haven't thought this stuff through, so I was...

PGP key identifiers use binding signature's creation time, not certificate creation time

> You can't trust keys.openpgp.org to only return key material for the query, so you need to check the returned data to make sure it doesn't contain an extra pubkey....

rpm --import does not replace old keys with new keys

Looking at the code, it seems: - [`rpmcliImportPubkeys`](https://github.com/rpm-software-management/rpm/blob/1bd0f9cd2eb60c30f6076b202942ab8f43c4e41b/lib/rpmchecksig.c#L83) - [calls](https://github.com/rpm-software-management/rpm/blob/1bd0f9cd2eb60c30f6076b202942ab8f43c4e41b/lib/rpmchecksig.c#L99) [`doImport`](https://github.com/rpm-software-management/rpm/blob/1bd0f9cd2eb60c30f6076b202942ab8f43c4e41b/lib/rpmchecksig.c#L27) - [calls](https://github.com/rpm-software-management/rpm/blob/1bd0f9cd2eb60c30f6076b202942ab8f43c4e41b/lib/rpmchecksig.c#L55) [`rpmtsImportPubkey`](https://github.com/rpm-software-management/rpm/blob/master/lib/rpmts.c#L603) - [calls](https://github.com/rpm-software-management/rpm/blob/master/lib/rpmts.c#L646) [`rpmKeyringAddKey`](https://github.com/rpm-software-management/rpm/blob/1bd0f9cd2eb60c30f6076b202942ab8f43c4e41b/rpmio/rpmkeyring.c#L82) which [checks if the certificate's key id is known, and if so, don't...

rpm --import does not replace old keys with new keys

> @nwalfield, merging certificates sounds like a relatively hard problem to solve in general. Can you explain what you are thinking or worried about here? The implementation to merge certificates...

rpm --import does not replace old keys with new keys

> I suppose there might be some situations where that is helpful. But it sounds dangerous as a default behaviour. Old keys would never get retired / revoked. This could...

rpm --import does not replace old keys with new keys

Is a "key master" the entity that controls the key? I think we are using the word certificate in different ways. According to RFC 4880, a certificate in OpenPGP (as...