-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I like the general proposal, for all of the reasons that David
listed.
My only question is about the encoding of the cross-signature
subpacket contents. It could be anything from:
a full Signature packet (including packet header); to,
just the Signature packet contents; to,
a leaner form with just the required fields (hash algorithm
and signature MPIs), with the rest being assumed for the
hash computation in order to reuse that.
I could live with any of these, but I lean toward the middle one.
We may uncover a need for subpackets in the cross-signature itself,
but it's hard to imagine wanting to use a different packet type
(as opposed to signature *version*), and the length is absolutely
redundant. [Note that the signature computation hashes a canonical
header, not the actual one.]
If we do use a regular Signature packet (with or without header),
then
I'd like to see a recommendation on what subpackets it should
contain.
The usual rules don't apply: for example, the issuer is known. I
don't see a *need* for any subpackets, even creation time (but I'm
open to arguments).
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBP57l6uc3iHYL8FknEQLpywCg9RM4ZmGdMwymtDmhRByKaMwywQMAn0Qf
rnWryiBvTQJ0JA1huQQqCh81
=SW/6
-----END PGP SIGNATURE-----