Hi,
On Fri, September 12, 2014 8:37 am, Daniel A. Nagy wrote:
Thank you!
On 09/09/2014 04:30 PM, Derek Atkins wrote:
"Daniel A. Nagy" <nagydani(_at_)epointsystem(_dot_)org> writes:
Question:
Does this specification allow for signature/certification keys without
user ID and self-certification?
Yes, it is allowed.
I am a bit confused with the wording.
Please indicate in your answer which section allows (or prohibits) such
keys. Maybe, we could make it more explicit?
Section 2 allows it through the definition of the "Augmented v4 device
certificate". Wording suggestions to make it more clear are welcome. I
suppose your confusion is my use of the word "can" throughout that
section?
I got confused by this:
"A primary key capable of making signatures SHOULD be accompanied by
either a certification signature (on a User ID or User Attribute) or
a signature directly on the key.
...
It MAY accept public keys without an
accompanying signature."
Basically, it says that signature-capable primary keys without
certification are not really proper, but sufficiently liberal
implementation may still accept them.
Correct. Do I need to reword that or add something to make that more clear?
Now, the only thing a self-certification directly on the key proves is
that the public key is not bogus; it does, indeed, have a private
counterpart, right?
That and a self-assertion of any particular notations in the signature.
Regards,
Daniel
Thanks,
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp