ietf-openpgp
[Top] [All Lists]

Re: key flags -- what do they mean?

1999-03-10 01:09:22
On 1999-03-09 17:33:39 -0800, Jon Callas wrote about CA flags:

If the flags subpacket is present in the signature Alice made, the
"certification" flag is interesting only when it is 0. If it is 1,
it's the same thing as Alice not putting it there at all. If it is
zero, Alice is asking you not to propagate trust from her key to
Bob's key to some other key.

I don't understand this.  Is it possible that you are confusing
recommendations and "usual" certificates here?

We have well-defined recommendations ("trust signatures") in the
spec. It would thus be silly to assume that a plain (user-id, key)
certification implies any recommendation about the signee.  This
means that the CA flag would just be a no-op on any certificates,
and completely useless for actual CA use.

The only reasonable interpretation would be that the "default" CA
flag (i.e., the meaning of no such sub-packet) should be 0, i.e.,
"don't pass trust".  This is actually consistant with the phrasing
in the spec which says that "missing" flags should default to 0.

To put it short: The key flag spec is seriously flawed.  We may wish
to revise this in a future version.

tlr
-- 
http://home.pages.de/~roessler/