David Shaw <dshaw(_at_)akamai(_dot_)com> writes:
[RFC 2440 et al. as mere syntax]
True, and it even says that in the Abstract. There is an exception
made for security issues: "It does not deal with storage and
implementation questions. It does, however, discuss implementation
issues necessary to avoid security flaws."
I think it limits itself to security flaws which directly break the
cryptographic algorithms involved. Flaws at a higher level are not
discussed.
Offhand, I can't think of a security implication to having multiple
UIDs marked primary (though I'm sure someone here can). My concern is
with the security implications of having multiple conflicting
self-signatures. Without some suggested way to resolve the conflict,
there can be security implications. If it is truly a security issue,
then it is appropriate in 2440bis. (Obviously, I think it's enough of
a security issue to mention - I'd like to hear what others think.)
Differences in interpretation of expiration times can have security
implications, too. ;-)
On the other hand, If such additions are accepted, I've got a long
list of them...
Care to work on a "Implementation Suggestions for OpenPGP" with me?
Yes, details will follow in private mail.
--
Florian Weimer
Florian(_dot_)Weimer(_at_)RUS(_dot_)Uni-Stuttgart(_dot_)DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898