From RFC2440:
5.2.3.3. Signature creation time
(4 octet time field)
The time the signature was made.
MUST be present in the hashed area.
(note the MUST)
5.2.3.4. Issuer
(8 octet key ID)
The OpenPGP key ID of the key issuing the signature.
(note the lack of any advice on whether the subpacket is mandatory or
optional)
5.2.4.1. Subpacket Hints
An implementation SHOULD put the two mandatory subpackets,
creation time and issuer, as the first subpackets in the
subpacket list, simply to make it easier for the implementer to
find them.
The fact that the issuer is mandatory should be reflected by a "MUST" in
5.2.3.4 as/when RFC2440 is updated.
As it happens, PGP6.5 is capable of creating keys without an issuer at
all (the example I have is of a X.509 certificate wrapped by a PGP key).
This is sufficient to break the standard public-key server software -
openPGP vendors may like to check their code too!
The fact that PGP omits the subpacket may be because of the way the
mandatory nature of this subpacket has not been sufficiently emphasised.
--
Ian Bell T U R N P I K E Ltd