On Mon, 14 Jul 2003, David Shaw wrote:
I think there is value in requiring uids to be self-signed. To allow
encrypt-only top-level keys, one has to make a special case. Given
that they are only very limitedly useful, I'd rather not have the
special case.
Keep in mind that this renders valid 2440 keys invalid under 2440bis.
I can't imagine why we'd do such a thing just to gain the ability to
require self-signed user IDs. To be honest, I've never seen an
I am surprised that there have not been widespread attacks on OpenPGP keys
as a result of the permitted non-self-signed UIDs. I think this really
must be fixed. (And for users to add self-signatures to their existing
unsigned uids is trivial.)
encrypt-only primary in nature. I know of no program that generates
them. I've never used one except to test. But who am I to dictate -
in the absence of an actual security-related reason - to someone else
what type of key they may have?
That's what making an interoperable protocol is all about. (I'll also
argue that interoperability is a security-related reason in and of
itself.)
Note that GnuPG doesn't have any special support for encrypt-only
primary keys, but because of the nice general design of v4 keys, where
any key (primary or subkey) can be of any type, encrypt-only primaries
work just fine. I don't have a copy of PGP handy (I'm traveling), but
I suspect that they'll "just plain work" in PGP as well. My point
here is that it would take additional code and additional complexity
to *prevent* encrypt-only primaries from working... so why mess around
with this, especially since there is no security-related reason for
it?
Simplicity is a good reason, as is the robustness of the OpenPGP system.