[Top] [All Lists]

Re: Policy URL -> Policy URI

2005-02-08 02:24:23

Hash: SHA1

Hello Jon, others,

Okay, I see what you're saying, but is it necessary?

I think it is.

1. I think PGP is providing too little certainty about the meaning of a
   signature with its current four-grade signing setup.  At least, it is
   not suitable for commercial use, which would be great to support.  A
   suitable policy mechanism can help in that case.

2. It is not smart to fall behind on other signing flexibility; PGP already
   lacks the appeal to decision-makers that PKIX and even XML Signing have;
   any URN-based policy initiative could therefore easily forget to
   incorporate PGP and render it useless for that kind of application.

3. There are always work-arounds.  For example, the kind of schemes
   suggested under 2. could declare a website to do the translation from
   URN to URL for the sake of PGP.  Aside from that being awkward, it would
   be a challenge to the longevity of the spec and may for that reason be
   left out.  We don't want that to happen.

A long time ago, the keyserver URL said URI and we changed it for 
reasons that I can't remember.  I think it's because we didn't think it 
was necessary, that if it happened to be a URI, the worst that could 
happen would be that someone wouldn't understand it, but that's always 
a risk.

Indeed, the *keyserver* should not be referenced by name -- if you cannot
determine the location of a server what is it going to be good for?

For policies, I think we have a whole different matter at hand --
references to books, an ISSN-series of widely acknowledged signing policies
and ASN.1 OIDs are all good ways to point at a policy.  Moreover, they are
supportive of Internet-wide schemes, which is rarely the case if a URL is

Imagine that I would start pushing PGP-signers to follow
How would that make you feel?  It would mean some company set it up.  A
company with full control over the URL.  Other companies are going to be
too proud or too smart to use the same signing policy *location*.  Even if
they literally copy the content, the average signature validator would not
notice because the strings differ.  In short, URLs are bad for
interoperable policies.

A URN-scheme on the other hand, can serve quite well for Internet-wide,
non-proprietary published policies.  It can enforce the secure hash of a
document, which can only be weakly suggested in a URL.  That would take
care of the pride issue.  Furthermore, URNs can support rewriting to
equivalent forms, which would be helpful for supportive software to find
more matches than a simple string match can be.

If you happened to put in the policy URL an ISBN number, wouldn't it be 
obvious what it meant? Wouldn't it work just fine?

There are always work-arounds, but why invite them?  There are no
disadvantages to changing to a Policy URI.

I don't mind changing it, but is this just a difference without 

The change is vital in my opinion.


Version: GnuPG v1.2.4 (FreeBSD)
Comment: To understand digital signatures visit


<Prev in Thread] Current Thread [Next in Thread>