On Jan 19, 2008, at 2:57 AM, Daniel A. Nagy wrote:
David seems to be right about the fact that currently, there is no
distinction between key-revokers and certification revokers.
However, since
this functionality is not it wide use yet, I would suggest to make the
following somewhat backwards-compatible change: The revocation key
subpacket
authorizes revocations only for the subject of the certificate in
which it
has been included. Thus, if it is a certificate directly on a key,
it allows
the designated revoker to revoke the key. If it is in a key-uid
binding
certificate, it allows the designated revoker to revoke that
particular
key-uid binding.
I would be okay with this. Putting the designated revoker subpacket
in the certificate to indicate that it may be designated-revoked quite
neatly gives the issuer the power to choose, which is what I was
concerned about earlier.
Alternatively, we could add a new subpacket type with this
semantics, and leave 5.2.3.15 as it is.
Obviously, I'm okay with that as well.
A mild benefit for plan "A" is a great deal of flexibility, as the
issuer could choose on a per-certificate basis which should be
designated-revokable or not. It would tend to make certificates a bit
larger, though, as they'd have to carry a designated-revoker subpacket.
David