Notary signature implementation notes

Hi folks,

I recently roughed in some support for notary signatures in GnuPG.
Here are some samples.  The first attachment is the file the original
signature was issued on.  The second attachment is a detached
signature on that file.  The third attachment is a v4 0x50 signature
on that signature, and the final attachment is a v3 0x50.

All of these signatures were issued by key 0xD8B2D20C, currently on a
friendly keyserver near you.

I used the canonicalization rules Hal Finney suggested in
http://www.imc.org/ietf-openpgp/mail-archive/msg04021.html except I
used the constant 0x88 rather than 0x84 for the canonical CTB.  I
believe 0x84 was a typo since that would be a CTB for a session key
packet.

It was suggested that notary signatures always contain a signature
target subpacket.  After implementing notary signatures, I'm not sure
how useful this would be given the current signature target subpacket.
To create the subpacket, the notary needs to have the public key of
the signer of the original signature in order to get the raw hash out
of the original signature.  That harms somewhat the nice feature of a
notary signature that the notary does not need to know anything about
the original document and its signer.  One possible solution to this
is to define the signature target subpacket as a canonical hash of the
original signature rather than as the actual hash from the original
signature.

David

-- 
   David Shaw  |  dshaw(_at_)jabberwocky(_dot_)com  |  WWW 
http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

foo
Description: Text document

foo.asc
Description: Text document

v4.sig
Description: Text document

v3.sig
Description: Text document