Thomas Roessler sent me the below interpretation of key flags to
certification in email. Forwarded to the list with permission.
Comments?
Adam
------- Start of forwarded message -------
Date: Mon, 8 Mar 1999 07:28:46 +0100
From: Thomas Roessler <roessler(_at_)guug(_dot_)de>
To: Adam Back <aba(_at_)dcs(_dot_)exeter(_dot_)ac(_dot_)uk>
Subject: Re: key flags -- what do they mean?
References: <199903080005(_dot_)AAA04566(_at_)server(_dot_)eternity(_dot_)org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
User-Agent: Mutt/0.96i
In-Reply-To: <199903080005(_dot_)AAA04566(_at_)server(_dot_)eternity(_dot_)org>
On 1999-03-08 00:05:51 +0000, Adam Back wrote:
So the question is does this mean that it is possible to say that a
key may not be used for certification?
As I read this, the key's owner can say that a key should not be
used for certification (whatever this means), but a CA can't, and a
CA can't make sure the user doesn't change his mind.
Quoting from 5.2.3.2:
Subpackets that appear in a certification self-signature apply to
the username, and subpackets that appear in the subkey
self-signature apply to the subkey. Lastly, subpackets on the
direct key signature apply to the entire key.
This means that a CA could only make a statement about key usage for
a specific user-id. Such a statement doesn't make too much sense.
Alternatively, a user could put a statement like this one into a key
self-signature. Since this self-signature is not part of the
information signed by the CA, it's worthless from the British govt's
point of view - the user could change his mind and generate a new
self-signature.
Additionally, the standard doesn't mandate implementations to
implement the specific signature subpacket we are talking about. In
5.2.3.1, you can read the following:
An evaluator may "recognize" a subpacket, but not implement it. The
purpose of the critical bit is to allow the signer to tell an
evaluator that it would prefer a new, unknown feature to generate an
error than be ignored.
Implementations SHOULD implement "preferences".
Regards, tlr
- --
http://home.pages.de/~roessler/
------- End of forwarded message -------