At 3:30 PM +0800 11/10/00, Erron Criddle wrote:
To all,
Just wondering if there's a reference anywhere regarding the checking of
signing keys when authenticating a signature (and for that matter when
creating a signature), regarding expiry dates, revocation signatures (the
validity of the same) etc etc.
I thought this would be an implementation issue however I think that the
Open PGP standard needs to lay down the rules regarding the sequence of
events that need to take place when signing and authenticating a signature.
The OpenPGP standard specifically leaves that open. It provides mechanisms
for that, but the trust and validity model one uses is implementation
specific.
The working group explicitly decided that there would be no mandated trust
model. You can use any trust model you want with it. You can use a PKIX
one, you can use the Web of Trust, or anything in between.
We've encouraged people to write informational RFCs on trust models. Phil
Zimmermann had at one time expressed a desire to write one on the Web of
Trust, but has never done so. Other people have discussed other things.
I have come up with a sequence of events that need to be checked if one is
needed.
Feel free to write up such a document. The working group supports that. But
it will be a separate RFC from 2440 and descendants.
Jon