Open arudzitis-stripe opened 3 months ago
Hello :wave: Perhaps we could add a config option to allow using such keys (that would be off by default) in config.go. A PR would be welcome, I'd say :)
Cool! I'll see if I can find some time to throw together a PR!
👋 Hello folks! I want to start by saying I really appreciate the existence of this library and the dedication here to trying to do the right thing.
I wanted to flag that I believe https://github.com/ProtonMail/go-crypto/pull/155 has some unintended consequences and could use a bit more discussion.
We regularly exchange OpenPGP keys with third-party institutions and we we still see on occasion that keys are being created without flags indicating the proper usage. I'm not exactly sure where these keys come from, but they are out there in the wild. Often we do not have the ability to request new signatures on these keys, especially as these keys will work with
gpg
, which is seen as somewhat of a reference implementation.Since the change was made on this library, we switched to modifying the key structs after parsing to manually mark them as valid, which is viable, but requires us to keep track of keys we expect to have no flags.
I do wish the RFC was stronger on this topic.
I have (questionably) interpreted that as the flags being optional (indicating a preference) rather than a requirement. But I am open to other interpretations.
(https://github.com/ProtonMail/go-crypto/issues/187 was opened by another user, but it seems that in their case they were able to modify the key.)