Werner Koch <wk(_at_)gnupg(_dot_)org> writes:
On Mon, 4 Aug 2014 19:06, ian(_at_)icb(_dot_)im said:
I'm not so sure I would say "no software" can use them. They're odd in that
they're a bare Public-Key Packet, but that doesn't mean they're unusable.
I won't call that an OpenPGP packet. It is not OpenPGP compatible:
RFC4880, 12.1 Key Structures:
In a V4 key, the primary key MUST be a key capable of certification.
along with 5.5.2 Public-Key Packet Formats:
OpenPGP implementations MUST create keys with version 4 format. V3
keys are deprecated; an implementation MUST NOT generate a V3 key,
but MAY accept it.
v3 keys have severe weaknesses for example they rely on MD5. ECDH is
not capabale of signing/certifying.
For what it's worth I have a use-case for bare Public Key Packets with
direct signatures, without a user-id packet or a self-signature.
I plan to write up an I-D that will loosen the restrictions in 4880 to
allow this use-case.
Note that this use-case is not for email. Indeed, these keys are not
even user keys; they are "device keys". In my use case I'd like to use
RFC4880-style signatures for certifying those device keys.
Hopefully there is some support for this loosening?
Shalom-Salam,
Werner
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp