Of course this didn't make it into the minutes; this messages
happened well after the IETF met in August. The minutes are a
status report of the IETF meeting; It does not take into account
messages that have been processed *since* the IETF.
-derek
And no, we're not in final call, yet. I need to catch up and
make sure we've handled all the open issues. I'll see if I
can get to that this week.
Ian G <iang(_at_)systemics(_dot_)com> writes:
Derek Atkins wrote:
- If you want changes in wording - need to be compatable and suggest
text.
- Only open issue is David Shaw's BNF request for literal+literal.
No reason not to include David Shaw's request, but not in draft 14. Should
go into 15
I guess the below didn't make it then. Oh well.
-------- Original Message --------
Subject: Re: Signature types
Date: Sat, 27 Aug 2005 10:25:07 +0100
From: Ian G <iang(_at_)systemics(_dot_)com>
Organization: http://financialcryptography.com/
To: ietf-openpgp(_at_)imc(_dot_)org
References: <20050827075018(_dot_)GA17967(_at_)epointsystem(_dot_)org>
Daniel A. Nagy wrote:
... [some stuff]
On that section, but not on Daniel's question, it occurs to
me that the caveat found half way down ("Please note that
the vagueness...") could be usefully expanded to cover all
of 5.2.1.
Something like:
5.2.1. Signature Types
There are a number of possible meanings for a signature.
By convention, OpenPGP suggests meanings by the following
signature type octets in any given signature.
Please note that the vagueness of these signature claims
is not a flaw, but a feature of the system. Cryptographic
signing technology alone cannot make these claims true,
and a relying party would need to examine the intentions
of any signer, and the wider context of the system and
environment in order to assess any claims. OpenPGP places
final authority and responsibility on the receiver of any
signature.
0x01:...
Which then allows a simplification of the post-0x13 comment:
0x13:...
Please note that one authority's casual certification
might be more rigorous than some other authority's
positive certification. These classifications allow a
certification authority to issue fine-grained claims.
Most OpenPGP implementations make their "key signatures" as 0x10
certifications. Some implementations can issue 0x11-0x13
certifications, but few differentiate between the types.
As an alternate, such general commentary could append to the
end of the section - but in legal terms, if it is a warning
as to limitations, it should be at the front. Given the
somewhat poisoned waters of digital signatures, I'd prefer
to see the disclaims before any claims.
iang
PS: are we in final call already?
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant