On Tue, Sep 20, 2005 at 01:12:47PM -0400, David Shaw wrote:
No, it isn't. This becomes a major interoperability issue, when you use
signature subkeys. It's not quite clear from RFC2440 wether the 8-byte
signatory field sould point to the main key or the subkey, but in several
implementations it points to the subkey, which actually made the signature
(and this is the right behavior, IMHO).
I don't know of *any* implementations that set the issuer subpacket to
anything other than the key that made the signature, as specified in
You mean the actual subkey, right? Where is it specified in the RFC?
The formulation "the key that made the signature" is a bit ambiguous, IMHO,
but, of course, the sensible thing to do is obvious.
Doing otherwise would be an absurd thing to do - the signing
equivalent of putting the main key ID into a PKESK packet when
encrypting to a subkey. If you can point to a single implementation
that does this wrong, I'll immediately concede the point.
Of course, I can't. This is why I am saying that SKS has an important
interoperability problem. It EXPECTS the wrong behavior, while nobody
actually does it.