Thanks for the clarifications, I think we are getting close to
unambigous now. My understanding of the semantics now leads me to the
conclusion that the flags are not that useful, or constructive.
To tally we have semantics of the following flags when used in a
certificate signature
0x01 - This key may be used to certify other keys.
Jon:
If the flags subpacket is present in the signature Alice made, the
"certification" flag is interesting only when it is 0. [...] If it is
zero, Alice is asking you not to propagate trust from her key to Bob's
key to some other key.
I'll come back to discussion of this below, but we now have a defined
and clear semantics.
0x04 - This key may be used to encrypt communications.
0x08 - This key may be used to encrypt storage.
Jon:
If the top-level key is a signing-only key (e.g. DSA), then the
certifier doesn't get to make any meaningful statements about
encryption.
[...]
it's not been anyone's intent to do that [use encryption flags on
certification signatures], and no one has implemented code to do
that.
So 0x04 and 0x08 are meaningless in the context of certificates.
0x02 - This key may be used to sign data.
This flag is of limited value also. If we tabulate the possible
values, we have:
0x8 encrypt storage. x x x x
0x4 encrypt comms. x x x x
0x2 sign 0 1 0 1
0x1 certify 0 0 1 1
(encrypt are x = don't care because they have no meaning).
we can see that:
xx00 has no meaning as it is a null certificate (can't sign, can't
certify = no value!)
xx11 is redundant because it is the same as missing off the key flag
xx01 you can use this cert in the calcuation of validity for
certification purposes but not for document signatures; odd because
certifation is generally considered a more security critical operation
than document signature.
xx10 you can sign but not certify.
Now the discussion of the certify flag.
Overall the flags seem to be very CA centric. The certify flag (when
set to zero) has negative impact on the WoT, though perhaps a CA might
be interested to use them to prevent people who had not paid the CA
for a cetificate having their WoT connectivity strengthened by the
CA's efforts. As the user of a key so certified, one derives more
security (better WoT connections) by ignoring the fact that the flag
is set to zero).
The sign flag (when set to zero, which only makes sense to do if the
certify flag set to one) is a bit odd. As the user of a key so
certified, one derives more security (better WoT connections) by
ignoring the fact that the key is set to zero!
So both use of either of these flags seems to detract from the WoT,
and the best thing a client could do from a security perspective is to
ignore both of them.
Comments?
Adam