On Mon 2018-05-07 20:09:01 +0200, Kristian Fiskerstrand wrote:
In any case, there have been discussions along the way, so I propose we
explicitly mark certification subkeys forbidden and ignored by
implementations.
Maybe something like;
"when generating a subkey binding signature, the implementation MUST NOT
set the certify usage flag. When interpreting a subkey binding
signature, implementations MUST ignore the certify subkey binding usage
flag if it is set."
I like this proposed text.
PS! As a tangent point, we likely also want to change the default
behavior for no usage flag specified for v5 to be ignored as not having
a recognized flag, instead of defaulting to all features, although I
don't have a specific proposal for this.
This is a separate point, but it also seems reasonable to me. I'd be
fine either way -- but we probably still want to specify that v5
implementations making a subkey MUST include a key usage subpacket in
the hashed subpackets section.
--dkg
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp