-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I don't feel all that strongly about this -- in fact, I don't
consider the problem all that serious in the first place -- but
I do find the properties of the cross-signature subpacket
solution more attractive.
If I did care about someone claiming my signatures as their own, I
think I would care about old signatures as well. Under the
per-message scheme, if I cared about old signatures, I'd have to find
all of those signatures *and the associated documents* in order to
reissue them, and then I'd have to deal with disseminating them.
User agents that keep a "key ring" will likely verify a
cross-signature only once, at the same time that they verify the
subkey binding signature. It need not be a per-message cost. The
same is true for the storage and transmission of the extra material.
Yes, the cost is higher for a one-time verification... I can
live with that.
Also, note that the specification already provides a "signer userId"
subpacket that could be used to nearly the same effect as a "signer
primary fingerprint" subpacket. As I recall, the very first proposal
was to recommend/require the use of the existing "signer userId"
subpacket.
I would have no objection to defining both mechanisms, to account for
differing user needs. If I were forced to choose only one, I'd
take cross-signatures, as it adds more value beyond what we have now.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBP581Gec3iHYL8FknEQKznwCgsEm4POcdbfmEFBuCceZRZizScPMAoJ5R
hqISWew9KfD0m1/SLQOHnEtT
=L15C
-----END PGP SIGNATURE-----