I've looked this over and done some of my own thinking. There are lots of
cases where having the issuer key id in the signature is really useful.
However, there are also cases where it's useful to *not* have the key id
there at all. I'm thinking of a PGPticket-like system where you'd want to
hide the authenticatee's identity from any eavesdropper. There are still
other applications where the issuer's id is essentially meta-information.
This last one is what PGP does today, by putting it in the unhashed
information area.
One of the things I'm trying to pay attention to in this spec is that good
designs get used for things they weren't exactly intended for. I don't have
the details of a quasi-anonymous signature system worked out, but I can see
that it's an interesting thing. So this argues against making it a MUST.
The fact that PGP presently essentially *is* one of these quasi-anonymous
systems only adds to the argument.
So I removed the line that says it MUST be in the hashed area. I'm leaving
it in the developer's hands.
Jon
-----
Jon Callas jon(_at_)pgp(_dot_)com
CTO, Total Network Security 3965 Freedom Circle
Network Associates, Inc. Santa Clara, CA 95054
(408) 346-5860
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)