David Shaw <dshaw(_at_)jabberwocky(_dot_)com> writes:
On Fri, Nov 04, 2005 at 03:51:35PM +0100, Simon Josefsson wrote:
Yes, how about this use-case: An announcement-only mailing list
might prefer OpenPGP signed messages. It could then add a 'OpenPGP:
preference=sign' message to all list posts. The sender could be the
mailing list address, which may not have a OpenPGP key at all. So
you couldn't fetch an OpenPGP key for the mailing list address.
Arguable, the mailing list managers could create a dummy OpenPGP key
for the mailing list address, and set the e-mail preference and
upload the key. However, so could anyone, since the key isn't used
nor trusted by anyone. The announcement-only mailing list could be
some abstract mail addresses too. Like
submit(_at_)bugs(_dot_)debian(_dot_)org or
similar.
I agree this is a reasonable use. I've also re-read over the -02
draft, and it does have language in section 2 about not overtrusting
the header that I had missed earlier.
Would it be worth making this more explicit by adding something about
actual conflicts between the OpenPGP header and the key to that
section? Something like:
Section 2 is intended to give an introduction, so I believe such text
should belong in the section that define the header. It would be
useful to repeat the warning there as well.
I have added the following at the beginning of section 3:
<t>Because the header is typically not integrity protected, the
information conveyed in the OpenPGP header field MUST NOT be
trusted without additional verification. Some of the
information given in this header may also be given on the
OpenPGP key itself. When these two sources conflict, users
SHOULD favor the information from the OpenPGP key, as that
information can be cryptographically protected.</t>
What do you think?
Thanks,
Simon