Werner Koch <wk(_at_)gnupg(_dot_)org> writes:
On Mon, 4 Aug 2014 19:06, ian(_at_)icb(_dot_)im said:
I'm not so sure I would say "no software" can use them. They're odd in that
they're a bare Public-Key Packet, but that doesn't mean they're unusable.
I won't call that an OpenPGP packet. It is not OpenPGP compatible:
RFC4880, 12.1 Key Structures:
In a V4 key, the primary key MUST be a key capable of certification.
along with 5.5.2 Public-Key Packet Formats:
OpenPGP implementations MUST create keys with version 4 format. V3
keys are deprecated; an implementation MUST NOT generate a V3 key,
but MAY accept it.
v3 keys have severe weaknesses for example they rely on MD5. ECDH is
not capabale of signing/certifying.
For what it's worth I have a use-case for bare Public Key Packets with
direct signatures, without a user-id packet or a self-signature.
I plan to write up an I-D that will loosen the restrictions in 4880 to
allow this use-case.
Note that this use-case is not for email. Indeed, these keys are not
even user keys; they are "device keys". In my use case I'd like to use
RFC4880-style signatures for certifying those device keys.
Hopefully there is some support for this loosening?
Derek Atkins 617-623-3745
Computer and Internet Security Consultant
openpgp mailing list