ietf-openpgp
[Top] [All Lists]

Preferred Key Server subpacket in non-self-signature?

2009-04-28 11:21:46
I'm trying to understand the preferred key server subpacket [0] and how
one might reasonably respect it in an implementation without causing
potential for things that are the OpenPGP equivalent of "web bugs", but
while still keeping it useful.

While looking into this, it occured to me that the RFC doesn't
explicitly say that the Preferred Key Server subpacket must only reside
on a self-signature.  So, what would it mean if the Preferred Key Server
subpacket was included in a third-party certification?

For example, Alice has an OpenPGP with her User ID "Alice".  Bob meets
Alice, checks fingerprints, and certifies her User ID with a signature
type 0x10.  But his signature contains a Preferred Key Server sub-packet
that points back to http://bob.example.org/alice

Carol imports Alice's key, but wants to be sure that she has the latest
updates, revocations, and so forth, so she asks her OpenPGP client
(which defaults to using pool.sks-keyservers.net) to refresh from the
keyservers.  What should Carol's OpenPGP client do in this case?

What about in the case where the Preferred Key Server subpacket is on
Alice's self-sig?  What about two different Preferred Key Server
subpackets (one from Alice, one from Bob)?

        --dkg

http://tools.ietf.org/html/rfc4880#section-5.2.3.18

Attachment: signature.asc
Description: OpenPGP digital signature

<Prev in Thread] Current Thread [Next in Thread>