[Top] [All Lists]

Re: [openpgp] How to re-launch the OpenPGP WG

2015-03-17 03:43:55
Hash: SHA512

On 03/17/2015 04:59 AM, Christoph Anton Mitterer wrote:
Also to answer Werner's comment ("OpenPGP does not define the Web
of Trust.  There is no standard for it.")

On Fri, 2015-03-13 at 09:42 -0400, Derek Atkins wrote:
This was explicitly out of scope from the former OpenPGP WG.  I
think that was a GOOD THING, and I believe it should remain out
of scope.
I was probably a bit unclear in what I wrote. I've mainly meant: 
The functionality of OpenPGP shouldn't be limited in such a way
that what we can do now with it (e.g. the web of trust, or trust
hierarchies via the trust signatures) would no longer be possible.

Apart from that I basically agree that OpenPGP itself (i.e. the RFC
for the message format) shouldn't define a trust system (e.g. the
web of trust), BUT: a) it might(!) make sense for another RFC to do
this on an informal basis b) currently we have several things (well
at least the different levels of user signatures 0x10-0x13) which
are pretty much undefined, useless, ambiguous and therefore even
dangerous. 0x10 and 0x11 have at least some "proper" definition,
but they don't tell how implementations should react on them (=>
dangerous). 0x12 and 0x13 are quite vague and ambiguous.

I fail to see how this behaviour is either dangerous, nor how it can
be automated in a system with delegated certificate authorities. The
signatures (except for 0x11) are treated the same by the
implementations, which is fine. The information is still useful as
metadata when performing manual analysis of a certification network
and depends on a published certification policy by the issuer. The
uses not being explicit in the RFC does not mean they are vague and
ambiguous, just that they are defined on a per-context / per-CA basis,
and the RFC allows provides a mechanism to distinguish , although most
users should normally always use 0x10.

- -- 
- ----------------------------
Kristian Fiskerstrand
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"History repeats itself; historians repeat each other"
(Philip Guedalla)


openpgp mailing list