Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > nl.newsgroups > #15994
| From | Julien ÉLIE <iulius@nom-de-mon-site.com.invalid> |
|---|---|
| Newsgroups | nl.newsgroups |
| Subject | Re: checkgroups nl.* [maart 2024] |
| Date | 2024-04-22 18:50 +0200 |
| Message-ID | <l8niqcFp1crU1@mid.individual.net> (permalink) |
| References | <sAoKBD.1FEAI@a3.nl.invalid> <l6klgjFkasdU1@mid.individual.net> <sB4Jq7.1nEoq@a3.nl.invalid> <l8kjajFatr4U1@mid.individual.net> <sCCF5s.nDMA@a3.nl.invalid> |
Hi Adri, > Now if only I could get that checkgroups script to work, > since it is now failing on the PGP signing part. > (See <sCCEpE.nD41@a3.nl.invalid> in Dutch.) Ah, I see. So there's a more complex problem here to solve. Modern implementations of GnuPG 2.x no longer accept old PGP-2 keys, so most news servers won't be able to honour your control articles... They will have to keep an old version of GnuPG 1.x or 2.0.x. With GnuPG 2.2.40 on a stable Debian installation, the key is no longer importable: % gpg --import nl.asc gpg: skipped PGP-2 keys: 1 (Hopefully GnuPG 1.4.23 is still packaged by Debian, but it may be dropped in a future release, and maybe other distributions no longer have it.) https://gnupg.org/faq/whats-new-in-2.1.html#nopgp2 "Some algorithms and parts of the protocols as used by the 20 years old PGP-2 software are meanwhile considered unsafe. In particular the baked in use of the MD5 hash algorithm limits the security of PGP-2 keys to non-acceptable rate. Technically those PGP-2 keys are called version 3 keys (v3) and are easily identified by a shorter fingerprint which is commonly presented as 16 separate double hex digits. With GnuPG 2.1 all support for those keys has gone. If they are in an existing keyring they will eventually be removed. If GnuPG encounters such a key on import it will not be imported due to the not anymore implemented v3 key format. Removing the v3 key support also reduces complexity of the code and is thus better than to keep on handling them with a specific error message." This is why still active hierarchies using PGP-2 are encouraged to generate a new modern key (like a 3072 or 4096-bit RSA key widely supported by both GnuPG 1.x and 2.x). The Big-8 did that in 2021: <87im1zrkyx.fsf@hope.eyrie.org> URL: http://al.howardknight.net/?STYPE=msgid&MSGI=%3C87im1zrkyx.fsf%40hope.eyrie.org%3E Since 2021, they have been sending control articles signed with both the old and the new key. There also recently were new modern RSA keys for fr.* in 2020 and bln.* in 2023 (the first one because of the loss of the previous key by the previous hierarchy maintainer, and the second one because it wasn't signing control articles): <rqm6t9$o68$1@news.trigofacile.com> URL: http://al.howardknight.net/?STYPE=msgid&MSGI=%3Crqm6t9%24o68%241%40news.trigofacile.com%3E <bln-PGP-Announce-en.20230710@FU-Berlin.DE> URL: http://al.howardknight.net/?STYPE=msgid&MSGI=%3Cbln-PGP-Announce-en.20230710%40FU-Berlin.DE%3E Well, now that it is said, it is up to you to decide what you would like to do. I am really unsure that going on using PGP-2 is the best, but I don't know which signing software is run by the news servers mainly used by people reading nl.*. It may happen that the current key is still recognized by most servers carrying nl.*; yet, it will one day come the time it no longer is... You may then either: - do nothing (no longer any control articles); - make your current signing software work again, and send control articles signed with PGP-2; - make your current signing software work again, and/or use another one, generate a new key, and send control articles in double (PGP-2 and for instance RSA); - make your current signing software work again, and/or use another one, generate a new key, and send control articles signed with only this new kay. I agree it is a tougher work than expected... Maybe the most straight-forward would be to generate a new key, use another signing software (https://ftp.isc.org/pub/pgpcontrol/signcontrol in Perl or https://github.com/Julien-Elie/usenet-signcontrol in Python) and announce in news.admin.hierarchies the new PGP key so that it is added to the official control.ctl and PGPKEYS files, and news admins know about it. Naturally, you may want to do differently. If you have any question about the change of key or wish more points of view than mine, feel free to ask in news.admin.hierarchies. -- Julien ÉLIE « Loving unconditional means forgiving and learning to live with his imperfections. Because in the end you'll realize that it is what you love the most. »
Back to nl.newsgroups | Previous | Next — Previous in thread | Find similar | Unroll thread
checkgroups nl.* [maart 2024] a3@a3.nl.invalid - 2024-03-21 04:26 +0000
Re: checkgroups nl.* [maart 2024] Julien ÉLIE <iulius@nom-de-mon-site.com.invalid> - 2024-03-28 08:45 +0100
Re: checkgroups nl.* [maart 2024] a3@a3.nl.invalid (Adri Verhoef) - 2024-03-29 19:34 +0000
Re: checkgroups nl.* [maart 2024] Julien ÉLIE <iulius@nom-de-mon-site.com.invalid> - 2024-04-02 09:31 +0200
Re: checkgroups nl.* [maart 2024] Julien ÉLIE <iulius@nom-de-mon-site.com.invalid> - 2024-04-21 15:40 +0200
Re: checkgroups nl.* [maart 2024] a3@a3.nl.invalid (Adri Verhoef) - 2024-04-22 12:10 +0000
Re: checkgroups nl.* [maart 2024] Julien ÉLIE <iulius@nom-de-mon-site.com.invalid> - 2024-04-22 18:50 +0200
csiph-web