ietf-openpgp
[Top] [All Lists]

Re: Multiple signatures in clearsigned messages (was Re: Cleartext Signatures)

2005-10-12 08:53:47

<chair hat on>

As a process point..  2440bis is going into PROPOSED standard, which
means we don't need the deployment experience right now.  There's
no need to rip out this section now -- we can always remove it
before going to DRAFT standard if we don't get the experience
by then.

So, if there is concensus to remove it now we can..  But from
a process standpoint there's no need to remove it if we think
the language is clear about how to create and parse and understand
the packet type.

</chair hat off>

-derek

David Shaw <dshaw(_at_)jabberwocky(_dot_)com> writes:

On Wed, Oct 12, 2005 at 12:07:13AM -0700, "Hal Finney" wrote:

I am a bit uncomfortable with the notarization signature in general.
We have it in the draft but have no experience with it in reality,
which is kind of the opposite of the usual IETF procedure.  I guess it
was somebody's bright idea that got stuck in, in case people might want
to use it someday.

The fact that we may have to add further rules clarifying how to use it
just emphasizes our lack of experience with the construct.  Often with
these things you don't find the problems until you actually try to use it
for something and interoperate with others.  Given that notary signatures
have been in the draft in some form or other for years without seeing
any use that I know of, should we consider taking them out?

While I hate to say it, given the number of hours that went into it
thus far, I think I agree.  Last call is approaching, and we have no
implementations of it and no experience with it.

This isn't to say that I think we should scrap notary signatures -
just that it might be a good idea to bump them into their own RFC so
as not to delay 2440bis.  I don't believe that implementation and
experience can be achieved in time, and I'd rather see them done right
than done in 2440bis.

David

-- 
       Derek Atkins                 617-623-3745
       derek(_at_)ihtfp(_dot_)com             www.ihtfp.com
       Computer and Internet Security Consultant