1 Jul 2002 21:11
1 Jul 2002 21:49
Re: photo support?
vedaal <vedaal <at> hotmail.com>
2002-07-01 19:49:24 GMT
2002-07-01 19:49:24 GMT
----- Original Message ----- From: "Simon Josefsson" <jas <at> extundo.com> To: <ietf-openpgp <at> imc.org> Sent: Monday, July 01, 2002 3:11 PM Subject: photo support? > Is there a standardized way to embed photos in OpenPGP keys? Anyone > interested in writing such a standard? as it is now, it is definitely 'different' for PGP and GnuPG. PGP compresses the .jpg into the photo id, and does not export it when exporting the key. GnuPG leaves the .jpg intact as added by the user, and exports it intact as part of the .asc if PGP downloads a public key with a photo id, that was generated by GnuPG, it will export a photo as part of the .asc, but 'altered/compressed'. the exported .asc of the public key will be different than the exported .asc of the GnuPG key. as a side-issue, since the .jpg of a GnuPG generated photo-id is left intact, it is possible to steganographically embed data within the key id photo which can be retrieved intact from anywhere by downloading the key from an ldap server. it is possible to store a conventionally encrypted pgp file containing a(Continue reading)
1 Jul 2002 23:06
Re: photo support?
David Shaw <dshaw <at> jabberwocky.com>
2002-07-01 21:06:53 GMT
2002-07-01 21:06:53 GMT
On Mon, Jul 01, 2002 at 09:11:05PM +0200, Simon Josefsson wrote: > > Is there a standardized way to embed photos in OpenPGP keys? Yes. I documented the existing PGP method for the latest 2440bis draft. Both PGP and GnuPG use this method. It is actually a very general "embed anything" system. Photos are just the only currently defined attribute to be embedded. David -- -- David Shaw | dshaw <at> jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson
1 Jul 2002 22:57
Re: photo support?
Hal Finney <hal <at> finney.org>
2002-07-01 20:57:28 GMT
2002-07-01 20:57:28 GMT
Vedaal writes: > if PGP downloads a public key with a photo id, that was generated by GnuPG, > it will export a photo as part of the .asc, but 'altered/compressed'. > the exported .asc of the public key will be different than the exported .asc > of the GnuPG key. I don't think it re-compresses the JPEG, I'm not aware of any code that would do that. However it is possible that there is some incompatibility between GPG and PGP in the handling of photo IDs. Can you provide me with a GPG-created key with a photo ID, and I will see what happens to it with PGP. Hal Finney
1 Jul 2002 23:55
Re: photo support?
Michael Young <mwy-opgp97 <at> the-youngs.org>
2002-07-01 21:55:04 GMT
2002-07-01 21:55:04 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Subject: Re: photo support?
From: "vedaal" <vedaal <at> hotmail.com>
> this can lead to an overburdening of servers with 'bloated' keys, with
> whatever someone may decide to want to 'store'.
This is hardly unique to the "photo ID" field. It would be easy to "store"
arbitary content in:
a notation subpacket in a valid signature;
signature MPIs;
user names; or, even
public key MPIs.
It is impossible to prevent this sort of abuse without seriously impairing
legitimate use of the public keyservers.
One man's garbage is another man's key.
> it might be worthwhile to consider some maximal size for a recommended
> standard, which can be implemented by the servers
> refusing to accept a key greater than a certain size.
A size recommendation seems reasonable, as an implementation guideline.
A strict limit in the protocol seems most unreasonable.
This kind of restriction alone won't prevent abuse. It's only the tip
(Continue reading)
1 Jul 2002 23:55
Re: photo support?
David Shaw <dshaw <at> jabberwocky.com>
2002-07-01 21:55:26 GMT
2002-07-01 21:55:26 GMT
On Mon, Jul 01, 2002 at 03:49:24PM -0400, vedaal wrote: > > Is there a standardized way to embed photos in OpenPGP keys? Anyone > > interested in writing such a standard? > > as it is now, it is definitely 'different' for PGP and GnuPG. > > PGP compresses the .jpg into the photo id, and does not export it when > exporting the key. > > GnuPG leaves the .jpg intact as added by the user, and exports it intact as > part of the .asc > > if PGP downloads a public key with a photo id, that was generated by GnuPG, > it will export a photo as part of the .asc, but 'altered/compressed'. > the exported .asc of the public key will be different than the exported .asc > of the GnuPG key. Altered or compressed in what way? If PGP changes the photo, then it would break all signatures on the photo ID. PGP does alter the photo when you paste it in (converts it to jpeg and shrinks it), but once it's in the key, it does not change it. GnuPG requires a jpeg from the user and does not change it. Either of these is fine, since the spec says nothing about what happens to the photo before it is placed into the key. It does not matter if the ascii-armored representation of the key is different between GnuPG and PGP. This does not necessarily mean that(Continue reading)
2 Jul 2002 04:16
How to handle photoID on keyserver? (Re: photo support?)
Hironobu SUZUKI <hironobu <at> h2np.net>
2002-07-02 02:16:11 GMT
2002-07-02 02:16:11 GMT
Hi,
I have some questions about PhotoID in public keyserver.
Note: public keyserver means "key server which is open to the
public".
See also:
http://galileo.spaceports.com/~jharris/keyserver.html
1) Size issue:
If 3% public keys have 1280 x 960 jpeg photo, Public keyserver will
require storage area more than 13.7GB (at least).
a) 1280 x 960 jpeg is used the default size of many digital camera.
b) ((300 * 2^10) * (1.6 * 10^6 * 0.03)) / (2^30) = 13.732
c) 1.6Mkeys have been submitted into current public keyserver
and key dump size is almost 2GB.
2) Privacy issue:
Someone who is not owner of that public key can put public key
with PhotoID into public keyserver. And everyone can get someone's
public key with PhotoID.
I think that most OpenPGP users concern privacy issue. Size issue
become problem to some public keyserver sites. From my experience,
entire of storage size for handling public keysever may require 4
(Continue reading)
2 Jul 2002 05:51
Re: How to handle photoID on keyserver? (Re: photo support?)
David Shaw <dshaw <at> jabberwocky.com>
2002-07-02 03:51:58 GMT
2002-07-02 03:51:58 GMT
On Tue, Jul 02, 2002 at 11:16:11AM +0900, Hironobu SUZUKI wrote: > 2) Privacy issue: > > Someone who is not owner of that public key can put public key > with PhotoID into public keyserver. And everyone can get someone's > public key with PhotoID. Anyone can upload *any* public key to a keyserver or distribute it via whatever means they like. This is the same "risk" as someone uploading a key with my email address on it. If I do not want my photograph (or email address, name, public key, etc.) made public, then... I should not make it public. > I think that most OpenPGP users concern privacy issue. Size issue > become problem to some public keyserver sites. From my experience, > entire of storage size for handling public keysever may require 4 > times (or more) of whole of public keys. I mean if dump key size is > 15GB, HDD size is required 60GB at least. > > In my opinion, if public key with photoID is submitted public > keyserver, public keyserver remove photoID and related signature > packets and store the remains of packates into database. Any keyserver operator is free to do this. Conversely, any keyserver operator is free to not do this. Some keyservers have been storing keys with photo IDs on them for years. Some keyservers have been removing photo IDs for years[1].(Continue reading)
2 Jul 2002 06:58
Re: How to handle photoID on keyserver? (Re: photo support?)
Michael Young <mwy-opgp97 <at> the-youngs.org>
2002-07-02 04:58:35 GMT
2002-07-02 04:58:35 GMT
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Subject: Re: How to handle photoID on keyserver? (Re: photo support?) PGP doesn't use images anywhere near this size. David Shaw suggested that GnuPG will accept any size image, but even so, I doubt that many people will attach such a large image to their key. [I might suggest that GnuPG refuse large images by default, perhaps overridden with its "-expert" flag.] I'd also guess that a 3% usage rate is very high. The vast majority of the keys on the public servers don't have any signatures (other than self-). > Someone who is not owner of that public key can put public key > with PhotoID into public keyserver. And everyone can get someone's > public key with PhotoID. Yes, anyone can post a key claiming any identity. This is really nothing new. If you're worried about people attaching bogus identities to established keys, your keyserver could reject those without self-signatures. (Most of the keyservers do no verification at all right now, so this would be a significant change.) And yes, you could reject photoID packets (and any associated signatures) if you think size is a problem. (Even if you(Continue reading)
2 Jul 2002 15:56
Re: How to handle photoID on keyserver? (Re: photo support?)
David Shaw <dshaw <at> jabberwocky.com>
2002-07-02 13:56:31 GMT
2002-07-02 13:56:31 GMT
On Tue, Jul 02, 2002 at 12:58:35AM -0400, Michael Young wrote: > PGP doesn't use images anywhere near this size. David Shaw > suggested that GnuPG will accept any size image, but even so, > I doubt that many people will attach such a large image > to their key. [I might suggest that GnuPG refuse large > images by default, perhaps overridden with its "-expert" flag.] GnuPG does something similar to this - any image over 6k is refused unless the user confirms it. (i.e. "This image is really large! Are you sure you want to use it?" and the default is "no") David -- -- David Shaw | dshaw <at> jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson
RSS Feed