Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > nl.newsgroups > #15994

Re: checkgroups nl.* [maart 2024]

From Julien ÉLIE <iulius@nom-de-mon-site.com.invalid>
Newsgroups nl.newsgroups
Subject Re: checkgroups nl.* [maart 2024]
Date 2024-04-22 18:50 +0200
Message-ID <l8niqcFp1crU1@mid.individual.net> (permalink)
References <sAoKBD.1FEAI@a3.nl.invalid> <l6klgjFkasdU1@mid.individual.net> <sB4Jq7.1nEoq@a3.nl.invalid> <l8kjajFatr4U1@mid.individual.net> <sCCF5s.nDMA@a3.nl.invalid>

Show all headers | View raw


Hi Adri,

> Now if only I could get that checkgroups script to work,
> since it is now failing on the PGP signing part.
> (See <sCCEpE.nD41@a3.nl.invalid> in Dutch.)

Ah, I see.
So there's a more complex problem here to solve.

Modern implementations of GnuPG 2.x no longer accept old PGP-2 keys, so 
most news servers won't be able to honour your control articles...
They will have to keep an old version of GnuPG 1.x or 2.0.x.

With GnuPG 2.2.40 on a stable Debian installation, the key is no longer 
importable:

% gpg --import nl.asc
gpg:     skipped PGP-2 keys: 1

(Hopefully GnuPG 1.4.23 is still packaged by Debian, but it may be 
dropped in a future release, and maybe other distributions no longer 
have it.)


   https://gnupg.org/faq/whats-new-in-2.1.html#nopgp2

"Some algorithms and parts of the protocols as used by the 20 years old 
PGP-2 software are meanwhile considered unsafe.  In particular the baked 
in use of the MD5 hash algorithm limits the security of PGP-2 keys to 
non-acceptable rate.  Technically those PGP-2 keys are called version 3 
keys (v3) and are easily identified by a shorter fingerprint which is 
commonly presented as 16 separate double hex digits.

With GnuPG 2.1 all support for those keys has gone.  If they are in an 
existing keyring they will eventually be removed.  If GnuPG encounters 
such a key on import it will not be imported due to the not anymore 
implemented v3 key format.  Removing the v3 key support also reduces 
complexity of the code and is thus better than to keep on handling them 
with a specific error message."



This is why still active hierarchies using PGP-2 are encouraged to 
generate a new modern key (like a 3072 or 4096-bit RSA key widely 
supported by both GnuPG 1.x and 2.x).  The Big-8 did that in 2021:

   <87im1zrkyx.fsf@hope.eyrie.org>
   URL: 
http://al.howardknight.net/?STYPE=msgid&MSGI=%3C87im1zrkyx.fsf%40hope.eyrie.org%3E

Since 2021, they have been sending control articles signed with both the 
old and the new key.

There also recently were new modern RSA keys for fr.* in 2020 and bln.* 
in 2023 (the first one because of the loss of the previous key by the 
previous hierarchy maintainer, and the second one because it wasn't 
signing control articles):
   <rqm6t9$o68$1@news.trigofacile.com>
   URL: 
http://al.howardknight.net/?STYPE=msgid&MSGI=%3Crqm6t9%24o68%241%40news.trigofacile.com%3E

   <bln-PGP-Announce-en.20230710@FU-Berlin.DE>
   URL: 
http://al.howardknight.net/?STYPE=msgid&MSGI=%3Cbln-PGP-Announce-en.20230710%40FU-Berlin.DE%3E




Well, now that it is said, it is up to you to decide what you would like 
to do.
I am really unsure that going on using PGP-2 is the best, but I don't 
know which signing software is run by the news servers mainly used by 
people reading nl.*.  It may happen that the current key is still 
recognized by most servers carrying nl.*; yet, it will one day come the 
time it no longer is...

You may then either:
- do nothing (no longer any control articles);
- make your current signing software work again, and send control 
articles signed with PGP-2;
- make your current signing software work again, and/or use another one, 
generate a new key, and send control articles in double (PGP-2 and for 
instance RSA);
- make your current signing software work again, and/or use another one, 
generate a new key, and send control articles signed with only this new kay.


I agree it is a tougher work than expected...

Maybe the most straight-forward would be to generate a new key, use 
another signing software (https://ftp.isc.org/pub/pgpcontrol/signcontrol 
in Perl or https://github.com/Julien-Elie/usenet-signcontrol in Python) 
and announce in news.admin.hierarchies the new PGP key so that it is 
added to the official control.ctl and PGPKEYS files, and news admins 
know about it.
Naturally, you may want to do differently.

If you have any question about the change of key or wish more points of 
view than mine, feel free to ask in news.admin.hierarchies.

-- 
Julien ÉLIE

« Loving unconditional means forgiving and learning to live with his
   imperfections.  Because in the end you'll realize that it is what you
   love the most. »

Back to nl.newsgroups | Previous | NextPrevious in thread | Find similar | Unroll thread


Thread

checkgroups nl.* [maart 2024] a3@a3.nl.invalid - 2024-03-21 04:26 +0000
  Re: checkgroups nl.* [maart 2024] Julien ÉLIE <iulius@nom-de-mon-site.com.invalid> - 2024-03-28 08:45 +0100
    Re: checkgroups nl.* [maart 2024] a3@a3.nl.invalid (Adri Verhoef) - 2024-03-29 19:34 +0000
      Re: checkgroups nl.* [maart 2024] Julien ÉLIE <iulius@nom-de-mon-site.com.invalid> - 2024-04-02 09:31 +0200
      Re: checkgroups nl.* [maart 2024] Julien ÉLIE <iulius@nom-de-mon-site.com.invalid> - 2024-04-21 15:40 +0200
        Re: checkgroups nl.* [maart 2024] a3@a3.nl.invalid (Adri Verhoef) - 2024-04-22 12:10 +0000
          Re: checkgroups nl.* [maart 2024] Julien ÉLIE <iulius@nom-de-mon-site.com.invalid> - 2024-04-22 18:50 +0200

csiph-web