Hi,
"Daniel A. Nagy" <nagydani(_at_)epointsystem(_dot_)org> writes:
Hi,
On 09/12/2014 03:17 PM, Derek Atkins wrote:
I got confused by this:
"A primary key capable of making signatures SHOULD be accompanied by
either a certification signature (on a User ID or User Attribute) or
a signature directly on the key.
...
It MAY accept public keys without an
accompanying signature."
Basically, it says that signature-capable primary keys without
certification are not really proper, but sufficiently liberal
implementation may still accept them.
Correct. Do I need to reword that or add something to make that more clear?
Not necessarily. Perhaps reordering the sentences (and changing
referring pronouns accordingly) so that these two statements would be
right after one another would make it easier to understand.
How about if I split it up into two paragraphs and reorder/reword a bit:
A primary key capable of making signatures SHOULD be accompanied by
either a certification signature (on a User ID or User Attribute) or a
signature directly on the key.
Implementations MUST accept encryption-only primary keys without a
signature. It also MUST allow importing any key accompanied either by
a certification signature or a signature on itself. It MAY accept
signature-capable primary keys without an accompanying signature.
Now, the only thing a self-certification directly on the key proves is
that the public key is not bogus; it does, indeed, have a private
counterpart, right?
That and a self-assertion of any particular notations in the signature.
Right. Thanks!
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp