ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

(fwd) Re: key flags -- what do they mean?

1999-03-09 15:36:40
from [Adam Back] [Permanent Link] 

Thomas Roessler sent me the below interpretation of key flags to
certification in email.  Forwarded to the list with permission.

Comments?

Adam

------- Start of forwarded message -------
Date: Mon, 8 Mar 1999 07:28:46 +0100
From: Thomas Roessler <roessler(_at_)guug(_dot_)de>
To: Adam Back <aba(_at_)dcs(_dot_)exeter(_dot_)ac(_dot_)uk>
Subject: Re: key flags -- what do they mean?
References: <199903080005(_dot_)AAA04566(_at_)server(_dot_)eternity(_dot_)org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
User-Agent: Mutt/0.96i
In-Reply-To: <199903080005(_dot_)AAA04566(_at_)server(_dot_)eternity(_dot_)org>

On 1999-03-08 00:05:51 +0000, Adam Back wrote:


So the question is does this mean that it is possible to say that a
key may not be used for certification?


As I read this, the key's owner can say that a key should not be
used for certification (whatever this means), but a CA can't, and a
CA can't make sure the user doesn't change his mind.

Quoting from 5.2.3.2:

   Subpackets that appear in a certification self-signature apply to
   the username, and subpackets that appear in the subkey
   self-signature apply to the subkey. Lastly, subpackets on the
   direct key signature apply to the entire key.

This means that a CA could only make a statement about key usage for
a specific user-id.  Such a statement doesn't make too much sense.

Alternatively, a user could put a statement like this one into a key
self-signature.  Since this self-signature is not part of the
information signed by the CA, it's worthless from the British govt's
point of view - the user could change his mind and generate a new
self-signature.

Additionally, the standard doesn't mandate implementations to
implement the specific signature subpacket we are talking about.  In
5.2.3.1, you can read the following:

   An evaluator may "recognize" a subpacket, but not implement it. The
   purpose of the critical bit is to allow the signer to tell an
   evaluator that it would prefer a new, unknown feature to generate an
   error than be ignored.

   Implementations SHOULD implement "preferences".

Regards, tlr
- -- 
http://home.pages.de/~roessler/
------- End of forwarded message -------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: A question on Twofish / AES / PGP, Jon Callas
Next by Date:  Re: (fwd) Re: key flags -- what do they mean?, Jon Callas
Previous by Thread:  A question on Twofish / AES / PGP, Simpson, Sam
Next by Thread:  Re: (fwd) Re: key flags -- what do they mean?, Jon Callas
Indexes:  [Date] [Thread] [Top] [All Lists]