[Top] [All Lists]

Re: Revocation target subpacket (Re: What's left before a new RFC?)

2002-04-17 17:52:52

On Wed, Apr 17, 2002 at 08:20:26PM -0400, Michael Young wrote:

I still desire a "revocation target" subpacket to identify the
specific signature being revoked:


David Shaw also suggested including the timestamp from the revocation
packet, to allow a blazingly fast comparison.  Again, I could live
with or without this.

After further consideration of Jon's comments about hash comparison, I
don't see the need.

Without the ability to revoke a specific signature, I strongly object
to multiple self-signatures being interpreted "any way it sees fit".
Yes, there's a RECOMMENDED behavior, and that may be the best we can
hope for in old implementations.  It's sad to suggest that when
conversing among new implementations, a key owner cannot update its
self-signature in a clear and unambiguous way.  But a revocation
target would satisfy my objection.  There may be other solutions to
this specific problem, such as a "supercedes" subpacket, but I don't
think they're as generally powerful or useful.

Note that I would not limit the use of this subpacket to self-signatures.
I think it would be equally meaningful for ordinary certifications,
to disambiguate between signatures with different subpackets (e.g.,
notation, trust limits, policy) or classes (e.g., 0x10 through 0x13).

See also the mail I just sent about designated revokers - there is a
good potential use there as well.


   David Shaw  |  dshaw(_at_)jabberwocky(_dot_)com  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson