ietf-openpgp
[Top] [All Lists]

Re: Requiring self-signed uids? (was Re: PoP & Signer's User ID subpacket?)

2003-07-17 17:50:32

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jul 17, 2003 at 05:50:49PM -0400, Michael Young wrote:

"David Shaw" <dshaw(_at_)jabberwocky(_dot_)com> writes:

So, as a solution, rather than ripping into the key construction
rules, why not just put in a line saying "user IDs and user attributes
SHOULD have a self-signature", and call it a day?

I think it's suitably "nice" to merit "ripping into" a key construction
rule that I have always thought was wrong.  Despite your attempts to
paint the current rule as cleaner, simpler, or more natural, I still
disagree

"Despite your attempts to paint the current rule"?  Yikes.  We're all
working towards the same goal here.  Remember who suggested dealing
with this in 2440bis.  If I liked the no-required-self-sigs status
quo, I wouldn't have brought it up.

Although it might seem I'm arguing against required self-sigs, I'm
actually fairly torn.  One problem is that combining this change with
the encrypt-only key change implies a number of subtle and not so
subtle changes, and I'm not (yet) convinced that this is the right
thing to do.

I understand that you see the removal of encrypt-only keys as an
advantage (as you seem to be arguing against encrypt-only keys almost
more than you are arguing for a required self-signature), but I don't
see things that way.

Despite what I said earlier in this thread, requiring self-sigs does
not depend on removing encrypt-only keys.  Since there seems to be
widespread agreement for the former, and not for the latter, perhaps
it would be better to resolve the self-sigs question and then discuss
encrypt-only keys as a suppurate issue.  Discussing the two issues tied
together seems to be leading nowhere.

I propose "Self-signatures are REQUIRED for all user IDs and user
attribute IDs on any key that has a primary capable of certification".
This handles the self-sig issue without changing the key construction
rules at all.

If there is consensus on this, then a different discussion can be
opened on the matter of encrypt-only keys.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE/F0RT4mZch0nhy8kRApWuAKC1nGMxvf6i26tMxHJ/gHZ3qMY6hQCfUO8V
CsPgFfLT2nQbuVAd4HA1ki0=
=qfjQ
-----END PGP SIGNATURE-----

<Prev in Thread] Current Thread [Next in Thread>