Jon writes:
fixed. Here's what they say now:
0x18: Subkey Binding Signature
This signature is a statement by the top-level signing key that
indicates that it owns the subkey. This signature is calculated
directly on the primary key and subkey, not on any User ID or
other packets. A signature that binds a signing subkey MUST have
an embedded signature subpacket in this binding signature which
contains a 0x19 signature made by the signing subkey on the
primary key.
0x19 Primary Key Binding Signature
This signature is a statement by a signing subkey, indicating
that it is owned by the primary key and subkey. This signature
is calculated directly on the primary key itself, and not on any
User ID or other packets.
This last sentence is not right. Perhaps surprisingly, Primary Key Binding
Signatures (which are issued by subkeys) hash both the primary and subkey
packet bodies.
Hal