Just to echo what Jon said...
On 24/04/2015 20:42 pm, Jon Callas wrote:
(Pulled into a new subject.)
Can someone explain why key usage and preference flags for the primary
were made part of user id signatures instead of a direct key signature
or something of the sort? I felt like this added a lot of complexity
and non-determinism to those parts of the implementation which dealt
with that.
Because you want the key owner to issue a signed statement that says "this is how I want you
to use my key" and you want that to be part of the self-signature that says "I own this
key." You don't want a separate signature, because you don't want them to be torn apart.
This is getting into the nature of what a real WoT looks like. In
normal human conversational semantics, a statement is meaningless unless
it is backed by whosoever said it, and what foundation we've got to
believe (rely on) that statement. Unless we can mirror those human
lines of trust, the system is approximately worthless for a real WoT.
This of course assumes that the goal is a WoT. There may be of course
other practical reasons for doing things such as having the key usage &
flags in the inner signed key package. Which is to say, it's important
to frame the question with the goals... and some of us hold out hope
for building a real WoT one day.
Secondly, (this came up somewhere else), I'm not convinced at all that
designated revokers (5.2.3.15) are a good idea. Is there a significant
advantage over just handing the person a revocation certificate of your
key? I remember deciding against implementing this feature at some point
in OpenKeychain because the complexity/benefit tradeoff just wasn't
there.
Let's face it. Revocation is not as good as people think it is. In the general
case it cannot work. There are specific cases where it can work, but you must
always account for the case that there is revocation information, you're just
not getting it....
That's a pretty good statement.
Revocation as an algorithm is too unreliable to be relied upon, and we
now have scientific proof of that [0]. What is the role of a
cryptographically unreliable algorithm in our thinking? Normally we run
a mile from such things, why do we pander to it this time?
iang
[0] By that I mean, back in the 2000s, CA/PKI's revocation was predicted
to not be reliable enough to work well enough to be worth the effort,
and when subCAs started failing a few years back, the browser vendors
found it necessary to start shipping new browser distros with hard-coded
revocation lists in them. In essence, we are seeing the über-CAs move
to doing dynamic revocation within the browsers, but they don't call it
that, nor do they admit that they are CAs.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp