Closed hpk42 closed 6 years ago
with other aspects of setup process i mean going through the spec for key generation and seeing if what we do is inline. My general take on if people want to use e.g. keys with passphrases is that they do the key generation with gpg themselves and then do muacrypt add-account --use-key KEYHANDLE --gpgmode=system
to select that key. this way they could aslo use keys from smart cards etc. however, i think that the current decrypt/encrypt API hardcodes passphrases and thus will fail for that case. I am not sure if we need to support passphrases, it's also a feature that can come later as the autocrypt spec does not require support for keys with passphrases. We could have a new issue "support keys with custom/user-specified passphrases" as an enhancement but it wouldn't carry the L1-compliance tag.
Here's what we currently create:
$ gpg2 --export --armor x | gpg2 --list-packets
# off=0 ctb=99 tag=6 hlen=3 plen=397
:public key packet:
version 4, algo 1, created 1518001173, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 7C02517343989701
# off=400 ctb=b4 tag=13 hlen=2 plen=10
:user ID packet: " <x@y.org>"
# off=412 ctb=89 tag=2 hlen=3 plen=440
:signature packet: algo 1, keyid 7C02517343989701
version 4, created 1518001173, md5len 0, sigclass 0x13
digest algo 2, begin of digest 34 6e
hashed subpkt 2 len 4 (sig created 2018-02-07)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID 7C02517343989701)
data: [3072 bits]
# off=855 ctb=b9 tag=14 hlen=3 plen=397
:public sub key packet:
version 4, algo 1, created 1518001173, expires 0
pkey[0]: [3072 bits]
pkey[1]: [17 bits]
keyid: 3667B02740E768B9
# off=1255 ctb=89 tag=2 hlen=3 plen=415
:signature packet: algo 1, keyid 7C02517343989701
version 4, created 1518001173, md5len 0, sigclass 0x18
digest algo 2, begin of digest 5f 71
hashed subpkt 2 len 4 (sig created 2018-02-07)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 7C02517343989701)
data: [3072 bits]
I just compared this to the spec, the autocrypt header enigmail produces for me and the one of @Valodim .
Seems fine. So i will create a new issue for the remaining process stuff and close this one.
https://autocrypt.org/level1.html#secret-key-generation-and-storage mandates that we create RSA3072 keys. currently we create RSA2048. Also ensure that all other aspects of the setup process are followed.