-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Jul 20, 2003 at 02:41:39AM -0700, Jon Callas wrote:
I was basically against it until it was explained to me why people
wanted it, and I ended up thinking, "Hmmm, we don't have a
compression system in there that's newer than 1977, and customers
are often right."
I rather like the idea of OpenPGP as an archival primitive.
Yes, I know that there are potential interoperability issues when keys get
migrated around, but I also of the opinion that when an implementation
imports a key, it should make sure that the preferences reflect what it
supports.
Amen. Can that be explicitly stated in the next draft?
I'm under the impression that it already says "SHOULD" in there. I
don't think it should be any stronger. It's a feature of OpenPGP
that it's small. I don't want to force someone who wants to embed
OpenPGP in something like a pager network (yeah, yeah, these days
pagers play videos) to have to do everything in PGP or GPG.
OpenPGP is not supposed to mandate all the features a good desktop
program should have.
The current draft says:
Since a self-signature contains important information about the
key's use, an implementation SHOULD allow the user to rewrite the
self-signature, and important information in it, such as preferences
and key expiration.
How about adding:
Note that without the ability to rewrite a self-signature,
interoperability issues may occur when the same key is used in more
than one implementation. Implementations may wish to check keys
upon import to ensure that the preferences on the key match the
reality of the implementation.
That doesn't mandate anything, but does call attention to the problem.
I guess the last line could be a SHOULD if there was a desire to make
it stronger.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iD8DBQE/Grm34mZch0nhy8kRArTVAJ0QEy6D4gNSk36D7yYsEMZ7SO49RQCfTKvL
KVT6B0DW1k3jjmjLlQcU0io=
=/PoE
-----END PGP SIGNATURE-----