[Top] [All Lists]

Re: Resolving multiple primary user IDs and self-signatures

2001-08-27 06:37:14

David Shaw <dshaw(_at_)akamai(_dot_)com> writes:

[RFC 2440 et al. as mere syntax]

True, and it even says that in the Abstract.  There is an exception
made for security issues: "It does not deal with storage and
implementation questions.  It does, however, discuss implementation
issues necessary to avoid security flaws."

I think it limits itself to security flaws which directly break the
cryptographic algorithms involved.  Flaws at a higher level are not

Offhand, I can't think of a security implication to having multiple
UIDs marked primary (though I'm sure someone here can).  My concern is
with the security implications of having multiple conflicting
self-signatures.  Without some suggested way to resolve the conflict,
there can be security implications.  If it is truly a security issue,
then it is appropriate in 2440bis.  (Obviously, I think it's enough of
a security issue to mention - I'd like to hear what others think.)

Differences in interpretation of expiration times can have security
implications, too. ;-)

On the other hand, If such additions are accepted, I've got a long
list of them...

Care to work on a "Implementation Suggestions for OpenPGP" with me?

Yes, details will follow in private mail. 

Florian Weimer                    
University of Stuttgart 
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

<Prev in Thread] Current Thread [Next in Thread>