David Shaw writes:
I don't know of *any* implementations that set the issuer subpacket to
anything other than the key that made the signature, as specified in
the RFC. Doing otherwise would be an absurd thing to do - the signing
equivalent of putting the main key ID into a PKESK packet when
encrypting to a subkey. If you can point to a single implementation
that does this wrong, I'll immediately concede the point.
Perhaps we should clarify the language in the RFC to eliminate any
such ambiguity. 184.108.40.206, the Issuer subpacket, just says:
The OpenPGP key ID of the key issuing the signature.
We could add "If the signature is issued by a subkey then the key ID of
this subkey is used here instead of the key ID of the primary key."
We do have similar language in 5.2 for PKESKs:
- An eight-octet number that gives the key ID of the public key
that the session key is encrypted to. If the session key is
encrypted to a subkey then the key ID of this subkey is used
here instead of the key ID of the primary key.
This would make sure there is no ambiguity about which key ID to use.