Re: [openpgp] Non-SHA-1 fingerprints in signatures [was: Proposal for a

On 03/14/2014 10:24 AM, Peter Pentchev wrote:
> Hm, how exactly would this deal with the existence of multiple signing
> subkeys, all associated with the same master public key?  Your current
> proposal explicitly allows for that, using the key IDs; I guess there
> might be a need to include *both* the fingerprint of the master key
> *and* some kind of identification of the subkey actually used for
> signing.

Vincent's original spec says:

> > It is common for an OpenPGP key bundle to contain multiple keys that 
> > are capable of producing signatures. For instance, this is the case 
> > when the primary certification key and a subkey both have their signing 
> > flags set (see Section 5.2.3.21 of RFC 4880). When a user wishes to 
> > create a ring signature that includes a key ID in a bundle that 
> > contains other keys capable of signing, it would make sense to include 
> > all signing-capable keys in the ring signature. 
But I'm not convinced by this last conclusion.  Why include all the
signing-capable keys?  I have a primary signing-capable key and a subkey
that is also signing-capable.  When i sign this message, i will only
sign it with one of them.  What is the rationale for including all the
keys?  It seems like it just makes the signature creation take longer,
and i don't see the benefit.  presumably the signing keys are likely to
be all controlled by the same person, right?

        --dkg

signature.asc
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp