[Top] [All Lists]

Re: [openpgp] How to re-launch the OpenPGP WG

2015-03-19 17:44:12
On Thu, 19 Mar 2015, Christoph Anton Mitterer wrote:

On Thu, 2015-03-19 at 14:00 -0400, Benjamin Kaduk wrote:
What happens when the policy listed at the policy URL changes?  It seems
that a local resource would be needed.
Well first, the different signature levels (if they rely on a policy
document, which they effectively do due to their vague definition)
wouldn't help you in such case either.

I wasn't trying to say that the existing technology is better than your
proposal, just that your proposal needs to take this concern into account.

Second, it's IMHO in the responsibility of the signer to keep the old
policies available, of course it wouldn't be enough for the URL to just
contain the key ID... (it would need at least the valid from / through
dates and probably more values like signing key finger print and more...
or even better a hash on the signature packet).

Sure, it's their responsibility.  But some signers are going to fail to
adhere to it, and the client trying to use such a signature needs to know
how to behave in that case.


openpgp mailing list