-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Jun 17, 2003 at 07:26:24PM +0200, Imad R. Faiad wrote:
I am afraid that signing subkeys are going to be very
expensive to implement. The whole of the keyserver
infrastructure needs to retro fitted to deal with them.
You are right that 2440 defined signing master keys years
ago, however, to be honest with you, this is my second
encounter with them, and I consider myself a heavy
PGP user. TIGER192, SHA1x, & HAVAL-5-160, had more
widespread use than signing subkeys, if you ask me.
Yet, we had no qualms about dropping them.
Yes, and I agreed with dropping them, but I don't see a real
inconsistency here. There is a substantial difference between
dropping hash algorithms that were either unused (MD2), or unusable
(TIGER192 and HAVAL-5-160 had no OID, double-SHA was experimental),
and dropping a used feature from a widely deployed implementation.
As it happens, some keyservers (the LDAP ones) support subkey searches
today. The newer HKP servers (SKS, ONAK) plan to add support soon.
To be sure, PKS doesn't support it, but frankly, PKS also eats keys on
a regular basis. If we were going to restrict OpenPGP based on what
some of the PKSes out there could handle without choking, we'd have to
throw away v4 RSA and any key with more than one subkey as well. ;)
I think it is poor practice to restrict OpenPGP based on what a single
broken keyserver can handle, especially since there are many
alternatives, including a few fixed versions of PKS.
If you are very concerned about old keyservers not being able to
retrieve a key given a subkey ID, then I would certainly support an
(optional) subpacket or signature notation to be used on signatures
issued by a signing subkey. The subpacket would contain the keyid of
the primary key, just to make it easier to find on a keyserver.
(I saw you were unable to verify my message with PGP 8. For some
reason, signing subkeys only work with the "pgpmail" interface and not
the plugins in PGP 8. I assume it's a bug, and hopefully it'll be
fixed in the next update.)
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iD8DBQE+72zH4mZch0nhy8kRAoGtAJ4hsDLiw3JRhkaOxpBxzlcEz7uO/gCbBDp0
K4zZxXopEhEHLYnYNf6TUiE=
=HzJv
-----END PGP SIGNATURE-----