ietf-openpgp
[Top] [All Lists]

Re: Whither the 0x40 timestamp signature?

2004-04-20 08:12:06

On Mon, Apr 19, 2004 at 09:19:18PM -0700, Jon Callas wrote:
I'm not necessarily requesting that 0x40 be fleshed out and clarified:
I'd be just as content to see it dropped.  If, as I assume, the 0x40
is just the same as the 0x50 with a different (human) interpretation,
then perhaps we should just drop it.  If people want to assign human
interpretations to their signatures, let them use notations.


As I remember, it stays there for the same reason that some other 
seldom-to-never-used
signature types are there: for backwards compatibility with their never 
being used. They are there for the same reason there is old stuff in my 
garage -- we hope to use it someday.

I'm not sure spring cleaning is warranted, but it's easy enough, if 
people think so.

I'm not sure about spring cleaning, either.  Underspecified parts of
the standard trouble me, however.  They can't be implemented, and they
aren't marked "for future use" either.

The 0x40 signature was mentioned in 1991 as a signature over a
signature, but no information was given on how to actually make one.
2440 redefined the 0x40 as a "timestamp signature", but still no
information was given on how to make one, and it was no longer stated
to be a signature over a signature.

The 2440bis drafts add a little hint in that 0x40 gets a signature
target, which only makes sense if 0x40 has a signature as at least
part of its input.

I'll defer to the feeling of the WG on whether to drop or not.
However, if are going to keep 0x40 in the standard, we should at least
say how to make one or explicitly mark it for future use.

If the intent is that 0x40 is in fact a signature over a signature
(and nothing else), then a simple fix is to change section 5.2.1,
which currently says:

    0x40: Timestamp signature.
        This signature is only meaningful for the timestamp contained
        in it.

Change to read:

    0x40: Timestamp signature.
        This signature is a signature over some other OpenPGP
        signature packet(s).  It is only meaningful for the timestamp
        contained in it.

I'm not advocating that outcome.  I'm equally content to see it
defined, marked for future use, or dropped.

David