It seems important to me to consider replacing URL with URI in the OpenPGP
spec. This would include URN-schemes, such as references to books that
everybody can pick up in their local bookstore or at Amazon. A book URN
would look like URN:ISBN:1-234-56789-0 (see RFC 3187). There are several
other useful URN schema's.
There are two places in the specification that speak of URL's; one is the
keyserver (which really is a location, so it makes sense to keep it as
a URL) and the other is the policy. I think it makes sense to support more
than just the available-on-my-website kind of local/incompatible policies.
Note that other signing standards do speak of URIs for policies. In the
PKIX standard RFC 3280, there is a CPSuri definiton; in RFC 3275 (XML
Signing) there is no explicit support for policies (...) but the proper way
of getting it into the signature is with a <Reference/> element which
obtains its information from a URI rather than just a URL.
In OpenPGP, replacing a Policy URL with a Policy URI need not lead to
conflicts with older software; inasfar as they interpret the subpacket,
they usually treat it either as a literal string that should be matched or
as something that can be presented in a browser. The reason is that
policies cannot be interpreted by software -- they are usually written in
Browsers are supposed to resolve URN-schemes; as far as they do not
recognise them they will consider the urn: start as a protocol, and of
course state that they do not support it. Same goes for any other
In other words, the change of a Policy URL into a Policy URN seems
advantageous, and I cannot see how it could cause problems. I therefore
warmly recommend changing it.
Rick van Rein,
OpenFortress Digital signatures