On Fri, Oct 09, 2015 at 02:44:46PM -0400, Daniel Kahn Gillmor wrote:
a) don't include any key creation time at all; signatures themselves
have a creation time, which is sufficient.
b) include key creation time in the material certified only for
self-sigs (certifications issued by the key itself). Do not include
any key creation time in the material certified by third-parties.
c) Include creation time of the certified key in the material certified
for all certifications -- first-party or third-party.
I'm tempted by the simplicity of (a), to be honest.
(b) sounds doable, but i don't know how useful it is to have assertions
from the key of when the key was created, or what to do with situations
where some self-sigs assert a different key creation time than others.
Should we reject or ignore some of them? if so, which ones?
(c) sounds like trouble -- you'll get self-signed assertions of key
creation time that don't match third-party assertions of key creation
time. What does that mean? how should it be represented to the user?
I think this is the issue that Werner was hinting at.
what are the downsides of (a)? What are the advantages of having a key
creation time at all? Is it simply that it provides a universally-known
temporal boundary when to accept signatures made by that key?
I've certainly used key creation time as a separate piece of information
to "most recent self-signature". The latter indicates how recently the
key can be seen as still in use / maintained, but the former gives an
idea of how long it's been around and can help when making a decision
about which of multiple keys to use for an individual. I think having
that in the self-sig would work ok (i.e. option b). In general is the
most recent self-sig not the one that should be trusted, with perhaps a
warning if any of the previous ones have a different creation time
listed?
J.
--
Friends are God's apology for relations.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp