ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] New fingerprint: to v5 or not to v5

2015-10-10 05:35:59
from [Jonathan McDowell] [Permanent Link] 
On Fri, Oct 09, 2015 at 02:44:46PM -0400, Daniel Kahn Gillmor wrote:

 a) don't include any key creation time at all; signatures themselves
    have a creation time, which is sufficient.

 b) include key creation time in the material certified only for
    self-sigs (certifications issued by the key itself).  Do not include
    any key creation time in the material certified by third-parties.

 c) Include creation time of the certified key in the material certified
    for all certifications -- first-party or third-party.

I'm tempted by the simplicity of (a), to be honest.

(b) sounds doable, but i don't know how useful it is to have assertions
from the key of when the key was created, or what to do with situations
where some self-sigs assert a different key creation time than others.
Should we reject or ignore some of them?  if so, which ones?

(c) sounds like trouble -- you'll get self-signed assertions of key
creation time that don't match third-party assertions of key creation
time.  What does that mean?  how should it be represented to the user?
I think this is the issue that Werner was hinting at.

what are the downsides of (a)?  What are the advantages of having a key
creation time at all?  Is it simply that it provides a universally-known
temporal boundary when to accept signatures made by that key?


I've certainly used key creation time as a separate piece of information
to "most recent self-signature". The latter indicates how recently the
key can be seen as still in use / maintained, but the former gives an
idea of how long it's been around and can help when making a decision
about which of multiple keys to use for an individual. I think having
that in the self-sig would work ok (i.e. option b). In general is the
most recent self-sig not the one that should be trusted, with perhaps a
warning if any of the previous ones have a different creation time
listed?

J.

-- 
Friends are God's apology for relations.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] New fingerprint: to v5 or not to v5, Peter Gutmann
Next by Date:  Re: [openpgp] New fingerprint: to v5 or not to v5, Nicholas Cole
Previous by Thread:  Re: [openpgp] New fingerprint: to v5 or not to v5, Werner Koch
Next by Thread:  Re: [openpgp] New fingerprint: to v5 or not to v5, Nicholas Cole
Indexes:  [Date] [Thread] [Top] [All Lists]