-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Oct 28, 2003 at 10:34:17PM -0500, Michael Young wrote:
I don't feel all that strongly about this -- in fact, I don't
consider the problem all that serious in the first place -- but
I do find the properties of the cross-signature subpacket
solution more attractive.
I think I do as well. I like that it handles old signatures, and I'm
not yet convinced that the include-the-fingerprint covers all of the
attacks that the back-signature does.
Also, note that the specification already provides a "signer userId"
subpacket that could be used to nearly the same effect as a "signer
primary fingerprint" subpacket. As I recall, the very first proposal
was to recommend/require the use of the existing "signer userId"
subpacket.
Nearly the same effect, yes, but ultimately a different problem.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.4-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iHEEARECADEFAj+fSfcqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk
L2tleXMuYXNjAAoJEOJmXIdJ4cvJvzsAn1pGb8SPcWHssnbVQKncJRx+hlGFAKDd
Kro5CviMXOZpFmfuy4xuQId8fw==
=zgtR
-----END PGP SIGNATURE-----