Jon Callas wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On Jan 23, 2007, at 4:21 PM, Jim Fenton wrote:
I generally agree with "RFC only", but haven't thought about all
eight of the registries that -base asks to have created. It's not
clear that we want to do this with all of them. For example, we
might want to set a higher bar for the signature or hash algorithm
than for creation of a new signature tag.
To be something of a devil's advocate on this, why? A nice property
of signatures is that there is pressure on the verifier either to
create them maximally interoperably, or accept that some people won't
be able to verify them.
As a verifier, if I start seeing signatures with a hash that I don't
speak (or think is not secure), I just consider the message to be
unsigned or bogusly signed. No problem.
Thanks, Paul, John, Scott, Arvel, Jon, and Phill (did I miss anyone?).
I have to agree with the logic that you presented, that the namespace
isn't constrained, and even for such things as hash and signature
algorithms the registry isn't the place to make sure people make good
choices. Let's use "RFC only" for everything. It was worthwhile (for
me, anyway) to have talked that through.
NOTE WELL: This list operates according to