camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Franz Forsthofer (JIRA)" <>
Subject [jira] [Commented] (CAMEL-7002) PGPDataFormat: restrict verifying public keys and allow several signatures
Date Thu, 05 Dec 2013 05:47:36 GMT


Franz Forsthofer commented on CAMEL-7002:

Hi Aki,

we could offer both possibilities. If you do not specify a signature User Id for the verification
the verification shall be executed against all public keys in the keyring (actually this is
the current situation). To support your use case, we only have to set headers after the verification.
I propose that we are setting two headers:
* the header "UserIdOfVerificationKey" shall contain the user ID of the key used for the verification
* the header "KeyIdOfVerificationKey" shall contain the key ID of the key used for the verification
And as a second possibility you can restrict the verification keys by specifying User IDs
as I proposed.

But in both cases we shall write the additional two headers.

What do you think about that?

Regards Franz

> PGPDataFormat: restrict verifying public keys and allow several signatures
> --------------------------------------------------------------------------
>                 Key: CAMEL-7002
>                 URL:
>             Project: Camel
>          Issue Type: Improvement
>          Components:  camel-crypto
>            Reporter: Franz Forsthofer
>            Assignee: Hadrian Zbarcea
>             Fix For: 2.12.3, 2.13.0
>         Attachments: 0001-PGPDataFormat-signatureUserIds-added.patch
> The contribution consists of two parts.
> The first part is about the verifier.
> During the signature verification with PGPDataFormat currently all public keys contained
in the public keyring are taken into account. So the current semantic is: Verify the signature
against all public keys in the keyring. IF you have a keyring with lot of public keys you
will not want that every identity represented by the public keys can sent to you a signature.
Normally you want to know from which identity the signature comes. Therefore I have introduced
the possibility to restrict the verifying publikc keys; I have introduced the parameter signatureKeyUserids
where you specify the Userids the publc keys must have in order to be allowed to verify a
> The second contribution is about the encryptor. Currently the encrypted part can contain
one signature from one private key. I added now the possibility that several several signatures
can be added from different private keys. The used private keys are defined by the values
of the new paramter signatureKeyUserids. This new functionality is especially useful to ease
the key renewal. For a certain time period you can sent messages containing the signature
from the old key and the new key to the receiver. 

This message was sent by Atlassian JIRA

View raw message