ietf-openpgp
[Top] [All Lists]

Re: PoP & Signer's User ID subpacket?

2003-06-17 13:07:33

At 08:30 AM 6/17/2003 -0400, David Shaw wrote:

On Mon, Jun 16, 2003 at 09:47:59PM -0700, Trevor Perrin wrote:
> [...]
> The problem is that there's a forward-linkage from a primary key to a
> subkey, but no back-linkage from a signing subkey to the primary key.  Hal
> suggested having the signing subkey also certify the primary key.  I
> suggested having the signatures produced by the signing subkey have the
> primary key's ID as a hashed subpacket.

Yes.  There are pros and cons, but on balance I like Hal's solution a
bit better as it only needs to be done once, presumably at key
generation time.  The subpacket solution needs to be done every time
the signing subkey issues a signature.

The subpacket solution does have a nice side effect in that it becomes
possible to always know the primary key when looking at a subkey
signature.  Since most keyservers don't support search-by-subkey yet,
this could be handy. [...]

Another slight advantage is that the relying party doesn't have to verify an extra signature. Also, pre-existing keys with signing subkeys wouldn't have to be modified, they could just start issuing signatures with this new subpacket. (On the other hand, with the solution you and Hal advocate, if you *do* modify the key by adding a back-signature, then pre-existing message signatures can take advantage of it, so maybe this is a wash).

Either solution seems fine. You also mentioned requiring self-signatures on user IDs, which seems like a good thing to insist on, and pretty much takes care of the proof-of-possession concern I was raising, I think.

Trevor