-----BEGIN PGP SIGNED MESSAGE-----
On Wed, Jun 25, 2003 at 12:24:34PM -0700, Hal Finney wrote:
As far as David's proposal, as I understand it, when a new subkey is
created, it signs the main key, along the lines we have been
discussing. However, rather than putting that signature on the main
key, we instead put it into a subpacket of the subkey binding
signature issued by the main key. Since the subkey creation process
has access to the private parts of both keys, there is of course no
difficulty in creating the signatures in this order and putting them
in these places.
Exactly. Note, however, that there is no need for the subkey
generation process to have access to the private part of the primary
key. Since this subkey-on-primary signature does not need to be part
of (i.e. hashed into) the subkey binding signature, and is just
located on the binding signature for convenience, there is no reason
why it can't be in the unhashed section of the binding signature. The
subpacket should work equally well in either the hashed or unhashed
The main advantage I see would be that we would not have a new
signature sitting on the main key, which some old software might
choke on if it were particularly particular. Instead we have a new
kind of subpacket in the subkey binding signature, which hopefully
most software will ignore if it is non-critical.
This proposal does depend on old software ignoring non-critical
subpackets, in order for newly created subkeys to still be used by
old software (at least, old software that allowed the use of signing
Yes. I suppose it comes down to which is less likely to cause a
problem: a new signature subpacket, or a new signature class (as
suggested below). I lean towards a signature subpacket for the
various reasons given in this thread thus far. There is also a minor
advantage in key maintenance. If a subkey is deleted, the
back-signature goes with it automatically, and the implementation
doesn't have to search for and delete back signatures elsewhere on the
One concern I have is the rather generic "1F" signature type proposed
for the subkey-on-key signatures. It would probably be better to
use a new signature type specific for this purpose. We use "18"
for the topkey-on-subkey signature, so maybe we could use "19" for the
subkey-on-topkey. That would reduce the possibility of an existing "1F"
signature somehow being put to a new and malicious use. Introducing a
new signature type would increase the chance of an implementation choking
when it finds the signature on the top level key, which would be another
point in favor of David's suggestion to hide the new sig in a subpacket
of the topkey-on-subkey.
I think this is an excellent suggestion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
-----END PGP SIGNATURE-----