[Top] [All Lists]

Re: [openpgp] How to re-launch the OpenPGP WG

2015-03-16 22:59:24
Also to answer Werner's comment ("OpenPGP does not define the Web of
Trust.  There is no standard for it.")

On Fri, 2015-03-13 at 09:42 -0400, Derek Atkins wrote: 
This was explicitly out of scope from the former OpenPGP WG.  I think
that was a GOOD THING, and I believe it should remain out of scope.
I was probably a bit unclear in what I wrote. I've mainly meant:
The functionality of OpenPGP shouldn't be limited in such a way that
what we can do now with it (e.g. the web of trust, or trust hierarchies
via the trust signatures) would no longer be possible.

Apart from that I basically agree that OpenPGP itself (i.e. the RFC for
the message format) shouldn't define a trust system (e.g. the web of
trust), BUT:
a) it might(!) make sense for another RFC to do this on an informal
b) currently we have several things (well at least the different levels
of user signatures 0x10-0x13) which are pretty much undefined, useless,
ambiguous and therefore even dangerous.
0x10 and 0x11 have at least some "proper" definition, but they don't
tell how implementations should react on them (=> dangerous).
0x12 and 0x13 are quite vague and ambiguous.

IMHO we shouldn't define how OpenPGP is used, only what it inputs and
Phew... well... perhaps not how it's used, but it should be always clear
how a message is to be interpreted - I think I've mentioned some
examples where this is not really the case, and these obviously also
affect the trust and usage model.

For the record, draft-atkins-openpgp-device-certificates already extends
the Attribute Subpacket with a String ID (similar to the UserID).
*If* attributes are to be extended (e.g. in ways as I've proposed in my
previous mail) than I think this is really something that needs
considerable effort to be spent upon.
Properties should be well defined, there shouldn't be too many
properties for actually same things but OTOH one shouldn't be to
reluctant to add new ones when it makes sense. Stuffing everything in a
few generic attributes would be quite bad.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

openpgp mailing list