-----BEGIN PGP SIGNED MESSAGE-----
From: "David Shaw" <dshaw(_at_)jabberwocky(_dot_)com>
2440bis seems to say that v4 signatures require (MUST) an issuer subpacket
Come to think, both PGP and GnuPG create v4 signatures with a hashed
timestamp, and an unhashed issuer. Are they compliant? ;)
I don't think that the specification should require either. It would be
fair to note that many implementations will be unable (or unwilling) to
interpret a signature without these things.
But even if the issuer remains a MUST, it certainly doesn't need
to be in the hashed material. As it stands, the specification doesn't
say so exactly -- it merely suggests that they should be the first two
subpackets, which is silly if the timestamp is hashed but the issuer
is not. I would just excise the suggestion entirely.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----