Mailing List Archive

Why is --auto-key-locate only for encrypting?
Hi,

debian-11, gpg-2.2.27

Why is the --auto-key-locate only for encrypting (says
the gpg(1) manpage)? Wouldn't it also be useful when
receiving emails and verifying signatures?

cheers,
raf


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is --auto-key-locate only for encrypting? [ In reply to ]
On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote:
> Why is the --auto-key-locate only for encrypting (says
> the gpg(1) manpage)? Wouldn't it also be useful when
> receiving emails and verifying signatures?

--auto-key-locate looks up keys by email address. It makes no sense when
verifying signatures because in this case you already know the key id the
signature was made with, so that there's no reason to look up the key by email
address (which is ambiguous).

The equivalent for automatic look-up of keys when verifying signatures is
--auto-key-retrieve.

Regards,
Ingo
Re: Why is --auto-key-locate only for encrypting? [ In reply to ]
On 2021-09-01 at 13:50 +0200, Ingo Klöcker wrote:
> On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote:
> > Why is the --auto-key-locate only for encrypting (says
> > the gpg(1) manpage)? Wouldn't it also be useful when
> > receiving emails and verifying signatures?
>
> --auto-key-locate looks up keys by email address. It makes no sense when
> verifying signatures because in this case you already know the key id the
> signature was made with, so that there's no reason to look up the key by email
> address (which is ambiguous).

If you're looking up purely by key id, then you need a working global
key-lookup facility. It doesn't federate.

If you look up by email address, then federation becomes available and
efforts such as WKD pay off.

-Phil

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is --auto-key-locate only for encrypting? [ In reply to ]
On Wed, Sep 01, 2021 at 01:50:36PM +0200, Ingo Kl?cker <kloecker@kde.org> wrote:

> On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote:
> > Why is the --auto-key-locate only for encrypting (says
> > the gpg(1) manpage)? Wouldn't it also be useful when
> > receiving emails and verifying signatures?
>
> --auto-key-locate looks up keys by email address. It makes no sense when
> verifying signatures because in this case you already know the key id the
> signature was made with, so that there's no reason to look up the key by email
> address (which is ambiguous).

Thanks. I don't understand why it makes no sense, but
I'll take your word for it. But I can think of a reason
to look up the key by email address even though you
have the keyid from the signature: when the key is not
on a keyserver or a WKD server, but is in a DNS
OPENPGPKEY record (DANE). But perhaps that's not a thing.

> The equivalent for automatic look-up of keys when verifying signatures is
> --auto-key-retrieve.

Thanks, but the manpage doesn't include DANE as one of
the lookup methods for that option. That's what I was
hoping for.

Since this option does a WKD lookup if wkd is in the
auto-key-locate list (and --disable-signer-uid isn't
used), it seems that it would make sense to do a DANE
lookup if dane is in the auto-key-locate list (and
--disable-signer-uid isn't used).

> Regards,
> Ingo

cheers,
raf


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why is --auto-key-locate only for encrypting? [ In reply to ]
On Mittwoch, 1. September 2021 18:15:56 CEST Phil Pennock via Gnupg-users
wrote:
> On 2021-09-01 at 13:50 +0200, Ingo Kl?cker wrote:
> > On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote:
> > > Why is the --auto-key-locate only for encrypting (says
> > > the gpg(1) manpage)? Wouldn't it also be useful when
> > > receiving emails and verifying signatures?
> >
> > --auto-key-locate looks up keys by email address. It makes no sense when
> > verifying signatures because in this case you already know the key id the
> > signature was made with, so that there's no reason to look up the key by
> > email address (which is ambiguous).
>
> If you're looking up purely by key id, then you need a working global
> key-lookup facility. It doesn't federate.
>
> If you look up by email address, then federation becomes available and
> efforts such as WKD pay off.

I concur. That's why --auto-key-retrieve also does a WKD lookup if the
signature has the Signer's UID set.

Regards,
Ingo
Re: Why is --auto-key-locate only for encrypting? [ In reply to ]
On Donnerstag, 2. September 2021 01:28:42 CEST raf via Gnupg-users wrote:
> On Wed, Sep 01, 2021 at 01:50:36PM +0200, Ingo Kl?cker <kloecker@kde.org>
wrote:
> > On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote:
> > > Why is the --auto-key-locate only for encrypting (says
> > > the gpg(1) manpage)? Wouldn't it also be useful when
> > > receiving emails and verifying signatures?
> >
> > --auto-key-locate looks up keys by email address. It makes no sense when
> > verifying signatures because in this case you already know the key id the
> > signature was made with, so that there's no reason to look up the key by
> > email address (which is ambiguous).
>
> Thanks. I don't understand why it makes no sense, but
> I'll take your word for it. But I can think of a reason
> to look up the key by email address even though you
> have the keyid from the signature: when the key is not
> on a keyserver or a WKD server, but is in a DNS
> OPENPGPKEY record (DANE). But perhaps that's not a thing.

I retract my claim that is makes no sense. It can make sense and that's why
--auto-key-retrieve also does a lookup by email address on WKD.

> > The equivalent for automatic look-up of keys when verifying signatures is
> > --auto-key-retrieve.
>
> Thanks, but the manpage doesn't include DANE as one of
> the lookup methods for that option. That's what I was
> hoping for.
>
> Since this option does a WKD lookup if wkd is in the
> auto-key-locate list (and --disable-signer-uid isn't
> used), it seems that it would make sense to do a DANE
> lookup if dane is in the auto-key-locate list (and
> --disable-signer-uid isn't used).

So what you actually want is that --auto-key-retrieve also does a DANE lookup
or in fact all kinds of lookup supported by --auto-key-locate. Did you check
that it not already does this (even if the man page doesn't mention it)? If
yes, then I'd say submit a request for this feature at https://dev.gnupg.org.

Regards,
Ingo
Re: Why is --auto-key-locate only for encrypting? [ In reply to ]
On Thu, Sep 02, 2021 at 01:10:40PM +0200, Ingo Kl?cker <kloecker@kde.org> wrote:

> On Donnerstag, 2. September 2021 01:28:42 CEST raf via Gnupg-users wrote:
> > On Wed, Sep 01, 2021 at 01:50:36PM +0200, Ingo Kl?cker <kloecker@kde.org>
> wrote:
> > > On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote:
> > > > Why is the --auto-key-locate only for encrypting (says
> > > > the gpg(1) manpage)? Wouldn't it also be useful when
> > > > receiving emails and verifying signatures?
> > >
> > > --auto-key-locate looks up keys by email address. It makes no sense when
> > > verifying signatures because in this case you already know the key id the
> > > signature was made with, so that there's no reason to look up the key by
> > > email address (which is ambiguous).
> >
> > Thanks. I don't understand why it makes no sense, but
> > I'll take your word for it. But I can think of a reason
> > to look up the key by email address even though you
> > have the keyid from the signature: when the key is not
> > on a keyserver or a WKD server, but is in a DNS
> > OPENPGPKEY record (DANE). But perhaps that's not a thing.
>
> I retract my claim that is makes no sense. It can make sense and that's why
> --auto-key-retrieve also does a lookup by email address on WKD.
>
> > > The equivalent for automatic look-up of keys when verifying signatures is
> > > --auto-key-retrieve.
> >
> > Thanks, but the manpage doesn't include DANE as one of
> > the lookup methods for that option. That's what I was
> > hoping for.
> >
> > Since this option does a WKD lookup if wkd is in the
> > auto-key-locate list (and --disable-signer-uid isn't
> > used), it seems that it would make sense to do a DANE
> > lookup if dane is in the auto-key-locate list (and
> > --disable-signer-uid isn't used).
>
> So what you actually want is that --auto-key-retrieve also does a DANE lookup
> or in fact all kinds of lookup supported by --auto-key-locate. Did you check
> that it not already does this (even if the man page doesn't mention it)? If
> yes, then I'd say submit a request for this feature at https://dev.gnupg.org.
>
> Regards,
> Ingo

I didn't check. I just based it on the manpage. I just
checked the NEWS file, and there's no mention of such
functionality. I'll submit a feature request. Thanks.

cheers,
raf


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users