-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Jul 14, 2003 at 02:07:27AM -0400, David Shaw wrote:
On Sun, Jul 13, 2003 at 11:37:24PM -0400, Michael Young wrote:
"David Shaw" <dshaw(_at_)jabberwocky(_dot_)com> writes:
The only thing that really troubles me about the idea is that it
raises problems for the (legal, to my reading of 2440) encrypt-only v4
key.
This doesn't trouble me... I strongly believe that we should
remove the loophole that allows encrypt-only top-level v4 keys,
for exactly this reason. (I was astounded when David pointed out
the seemingly permissive language in another forum.)
Just so we're all clear, Michael and I had been discussing the
legality of a v4 encrypt-only primary WITHOUT any subkeys. An
encrypt-only key WITH subkeys is clearly forbidden in 2440 both
implicitly (an encrypt-only primary key could not issue the
non-optional subkey binding signatures) and explicitly ("In a key that
has a main key and subkeys, the primary key MUST be a key capable of
certification.").
This is just a primary key that happens to be of an encrypt-only
algorithm (presumably #16, since there is no way to express an
encrypt-only primary key with algorithm #1 (you would need to use #2,
which is deprecated)).
I should add, though, that I don't really understand the objection to
an encrypt-only primary. OpenPGP is a collection of various tools
that can be combined in different ways for different uses. Some
combinations are more useful than others, and some make no sense, but
I don't see why (in the absence of an actual problem) one particular
combination should be considered a "loophole" and removed.
Do I strongly care about encrypt-only primaries in particular? Not
really. I do care about clean design, though, and adding a special
additional "no encrypt-only primaries" rule on top of the current
clean primary/subkey design seems without clear benefit.
Can you explain what troubles you about encrypt-only primaries?
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iD8DBQE/EsMW4mZch0nhy8kRAhl9AKCAnW30D4l+W+pC/hhLEXs9TONulQCfeOnP
+0pShRqWTG3OCdbC42bje9U=
=iQ9h
-----END PGP SIGNATURE-----