On Mon, Apr 29, 2013 at 8:40 PM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
Depends on what you call advanced. OpenPGP is a low-level protocol and
never really tried to address the application layer.
Well I think what has been proposed here now all belongs to the lowest
layer, it’s just cleaning up that one and making it more general.
Especially the proposals by Hauke seem to be just what the key
management system should be responsible for and which OpenPGP
currently cannot really fulful. Like that I have several subkeys where
one is explicitly marked as "not so safe" because I use it e.g. on my
Android phone... and where clients have a machine readable way to warn
me about data signed by such keys.
Also my proposals for having more (standardised) descriptive fileds
(name, address, IM, colour of eyes, employee) seems to be quite
crucial to me.
Right now people put such distinguising information often as comment
into their UID, but that kinda sucks (and it kinda violates the email
RFCs, which tell that any client interpreting mail addresses must
ignore the comments).
Or I'd like to be able to also include IM addresses in the keys, so
that such clients could use this information to select the right key,
which is expected on received messages.
Why should a government do that? eID cards started in Europe (iirc, the
German electronic signature law was the first at all). Europe has a
history of waiting for X, aehmm the OSI network stack, and thus it is
quite obvious that they started with X.400 et al.
Well I know,.. but now we give them even reason.
Further, you can make
more (consulting) money with weakly defined/complex protocols than with
a clean solution. The latter almost never wins (cf. IPSec lessons).
Maybe not for your application, so go and use your own thing for it.
There is nothing which will stop you. What about putting a DN into it?
Well of course I can always do whatever I want... but isn't the whole
idea of a standard that everyone should follow it as far as possible?
Clearly I can put a semicolon separated list of address, jabber
account, date of birth, name and email address into the UID,... but
everyone will think I'm crazy.
Because X.509 has all the useless bells and whistles which have been
suggested in the past as the solution to every problem. Well alright,
OpenPGP provides very similar ways to implement such features but
fortunately it has not yet been abused
Well but X.509 simply sucks for it's trust model ;-)
gpg -N '!foo(_at_)example(_dot_)org=42' ....
makes foo a critical notation.
And there's a similar syntax for the other signature subpacktes? The
dates? The policy sig subpacket? Key usage? etc.?
Cheers!
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp