ietf-openpgp
[Top] [All Lists]

Re: Series of minor questions about OpenPGP 4

2009-01-30 11:17:22

On Fri, Jan 30, 2009 at 10:30:28AM -0500, Daniel Kahn Gillmor wrote:
On 01/29/2009 03:53 PM, David Shaw wrote:
I suppose if you had an implementation that insisted on using the
first signature, regardless of the date, then the revocations would
force it to look at the last signature.. but then, an implementation
that did that may have other odd semantics elsewhere.  It may conclude
that there is no signature at all (after all, the one signature it was
looking at is revoked).

This would be a particularly odd implementation because "the first
signature regardless of date" has no meaning in OpenPGP, iiuc.  There's
nothing stopping a re-ordering of signature packets, and a certificate
that looks like this:

Yes, it was particularly odd.  I've seen it happen, but it's broken
for all the reasons you say.

David