17 Jan
2025
17 Jan
'25
8:13 a.m.
On 14/01/2025 15.37, Stephen Paul Weber wrote:
There are two aspects here.
IIRC we assumed that it would be nice that OpenPGP keys signal that the
key holder can receive messages protected by OpenPGP via XMPP. After
all, this is one reason why the user-id subpacket exists in OpenPGP
(albeit usually used to signal OpenPGP capabilities on mail addreses).
Now, XEP-0373 § 3.2 requiring a user ID could be considered as overly
strict. This is a nice example where implementation and operation
experience feeds back into the protocol specification. Maybe it is not
required.
What is certain, is that we need relax the user ID rules for the gateway
case, i.e., when an OpenPGP protected messages originates outside of the
XMPP ecosystem and is then feed into XMPP. Obviously we can not expect
the sender's OpenPGP key to have an XMPP user id in this case.
I'll give this some though and probably prepare an update to the OX
suite of XEPs.
- Flow
Hence OX could
simply state that recipients must verify the
signature. And that only if the PGP message is supposed to originate
from within XMPP it the user ID should contain the sender's XMPP address.
Honestly, why does OX care at all about user ID? It already knows what
exact key is allowed, so what user id it does or doesn't have doesn't
really affect security by much. OMEMO doesn't have user ids at all for
example.