On Thu, 2015-03-19 at 14:00 -0400, Benjamin Kaduk wrote:
What happens when the policy listed at the policy URL changes? It seems
that a local resource would be needed.
Well first, the different signature levels (if they rely on a policy
document, which they effectively do due to their vague definition)
wouldn't help you in such case either.
Second, it's IMHO in the responsibility of the signer to keep the old
policies available, of course it wouldn't be enough for the URL to just
contain the key ID... (it would need at least the valid from / through
dates and probably more values like signing key finger print and more...
or even better a hash on the signature packet).
Cheers,
Chris
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp