Tuesday, October 7, 2008

FireGPG test

Hash: SHA1

João Pinheiro wrote:
> I'm considering the option of adding a Photo ID to my GPG key to make it
> easier for people to identify me and verify that the key does indeed
> belong to me. However, there are a few issues that I would like to clear
> out before doing so.
> 1) PGP specifies 120x144 as the maximum resolution while GPG recommends
> the usage of 240x288. What image resolution would you advise me to use
> and how big can/should the actual JPEG file be? Is 6kb for a 120x144
> photo acceptable or should I try to stay below 4kb?

PGP will resize whatever resolution you supply to fit into its Key
Properties window. GnuPG relies on an external image viewer (e.g. MS Photo
Editor or whatever JPEG viewer you have). Resizing a 120x144 image 200% to
240x288 usually results in considerable image degradation. I favor the
higher resolution.

That said, it is almost trivial to get a 120x144 JPEG to fit into < 6KB.
This is not the case with a 240x288 image, which typically takes reducing
the JPEG's compression quality to 20%-30% to obtain an image <= 6KB.

I think if GnuPG is going to go with 4x the pixels they should make an
appropriate adjustment to the maximum image size, e.g. 24KB. I try to keep
my key's photo id images in the mid-teens.

> 2) I know that several keyservers used to have problems with Photo IDs
> some time ago. Are those issues still around or have they been solved by
> now? Do any servers have some kind of a public key size limit?

Those problems existed on the older PKS key servers. The issues are stilla
round on PKS, but have been eliminated by the new SKS key servers (see below).

The only limit on key size is common sense. IF one *REALLY* needs a 4096-bit
encryption key for email, they probably shouldn't even be using the 'Net. At
the present 1024-bit RSA and ElGamal keys are are considered "Standard" and
2048-bit keys are labelled "High Grade" on the X.509 certificate sites.

I'll paraphrase Rob Hansen's general advice here, "Unless you REALLY know
what and why you're doing something, stick with the defaults."

> 3) Which keyserver would you recommend for me to use from now on? I have
> been using keyserver.pgp.com over the past few months and I was
> wondering if there is a better/more widely adopted one out there.

I just answered this last Friday on Gnupg-Users. For simplicity, I'll just
copy that message.

> Is there a recommended(read Endorsed) Keyserver?

There is NO officially recommended or endorsed key server.

> I'm looking at the documentation we have here at gentoo.org and it
> recommends pgp.mit.edu. It has been suggested that this server is old
> and broken. Is this the case?

pgp.mit.edu works fine for older keys. It runs the PGP Key Server (pks). PKS
does not handle V4 key features well. Notable examples of mangled features
are multiple subkeys, a revoked subkey (tag 0x28), duplicate keyids, direct
key signatures (tag 0x1F), revocation signatures on userids (tag 0x30), or
photo IDs. There is also no development or maintenance being done on the pks
platform. One exception to the pks servers is keyserver.kjsl.com, which has
been patched to not mangle keys; however, it drops photo IDs.

The one PKS server at kjsl.com, the old LDAP keyservers (only one is still
on the 'net and it's unsynchronized, ldap://keyserver-legacy.pgp.com), and
the SKS servers handle v4 keys correctly. The new LDAP PGP Universal key
server at ldap://keyserver.pgp.com also handles keys correctly, but its
myriad additional signatures added to keys are often (jokingly?) cited for
the addition of the 'clean' options in GnuPG. It, for obvious reasons, is

The current platform of choice is known as the Synchronizing Key Server
(SKS). It is written to fully comply with OpenPGP specifications.

subkeys.pgp.net is a round-robin DNS lookup of four servers. Three SKS
servers and the server at keyserver.kjsl.com.

The address some of my correspondents and myself and refer to most users is
x-hkp://random.sks.keyserver.penguin.de. It's a round-robin alias that is
updated daily with the operational servers in SKS' universe.

For my own use, I use minsky.surfnet.nl. It's easy for me to remember (Yaron
Minsky wrote SKS and its Gossip protocol.) It's also short to type.

- --
John P. Clizbe Inet: John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A
"what's the key to success?" / "two words: good decisions."
"what's the key to good decisions?" / "one word: experience."
"how do i get experience?" / "two words: bad decisions."

"Just how do the residents of Haiku, Hawai'i hold conversations?"
Version: GnuPG v1.4.3-cvs-3911-2005-10-14 (Windows 2000 SP4)
Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG
Comment: Be part of the £33t ECHELON -- Use Strong Encryption.
Comment: It's YOUR right - for the time being.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Hash: SHA1

The above signed blog posting did not verify in-place in FireGPG when I encountered it on a different blog site. I selected the original text obtained with the [display original] link in FireGPG, and reposted it here to re-check verification. It does not verify here either.
As a further test, I again took the original text and saved it to a separate file. The file verifies OK. By this result it appears a bug exists in FireGPG.
I am clear-signing this post as an additional test. If you're a guest, you can find the public key in an earlier August 8 post in this blog.
Version: GnuPG v1.4.7 (MingW32)
Comment: http://getfiregpg.org


It would also be nice to have some type of hotkey or mechanism to temporarily disable FireGPG's mangling of page content.

No comments: