On Fri, 14 Jan 2000, Ian Bell wrote:
5.2.3.3. Signature creation time
(4 octet time field)
The time the signature was made.
MUST be present in the hashed area.
(note the MUST)
This MUST is related to the area (whether it goes into the hashed or
unhashed are) and not to the subpacket itself. I can think of
applications where the signature time is not really needed, say
because the time can be deduced from another subpacket.
5.2.3.4. Issuer
(8 octet key ID)
The OpenPGP key ID of the key issuing the signature.
(note the lack of any advice on whether the subpacket is mandatory or
optional)
All the subpackets are optional. I agree that this field is very
importan but in environments wehre you use only a few keypairs it
may be ommited.
5.2.4.1. Subpacket Hints
An implementation SHOULD put the two mandatory subpackets,
creation time and issuer, as the first subpackets in the
subpacket list, simply to make it easier for the implementer to
find them.
The fact that the issuer is mandatory should be reflected by a "MUST" in
5.2.3.4 as/when RFC2440 is updated.
Well, because the issuer is not mandatory, we actually can leave the
text as it is. I think the defintion of "mandatory" is not clear:
Is a SHOULD mandatory?
all (the example I have is of a X.509 certificate wrapped by a PGP key).
This is sufficient to break the standard public-key server software -
At least Marc's server has many other problems with OpenPGP, so that this
one is only a minor thing.
The fact that PGP omits the subpacket may be because of the way the
mandatory nature of this subpacket has not been sufficiently emphasised.
I have not found a reference to X.509 in rfc2440 - so this seems to be a
private extension of PGP 6 wich violates OpenPGP (as the PhotoID and some
other things do it too).
--
Werner Koch at guug.de www.gnupg.org keyid 621CC013
Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html