[Top] [All Lists]

Re: [openpgp] Overhauling User IDs / Standardizing User Attributes (was: Re: Scoped trust (signatures))

2018-06-26 15:46:11
I think the problem you are facing is Zooko's triangle: Decentralised,
meaningful names for keys can not be secure.  The PGP (implementation)
answer to this is the web of trust, but that is pretty much out of scope
for OpenPGP (the standard).  This is also apparent from your description
by the introduction of external policies ("when I want to sign X, I need
to check Y"), that are also out of scope for OpenPGP.  This might
explain the lack of response here.

Once you are adding additional policies, you can create additional
restrictions for user id fields, or introduce additional (private use?)
user attributes ad lib, and those will be the least of your worries.

OTOH, without such additional policies (that can be enforced by
conforming implementations), the proposed fields will just be more free
form fields in OpenPGP that accumulate cruft over time. There are a
couple of those already, and we have a pretty bad track record
validating those.

On 06/26/2018 05:27 PM, Leo Gaspard wrote:
Are there really no opinions on this idea of decoupling names and email
addresses through standardization of more User Attributes and removal of
User ID packets in v5 keys? Not having any feedback from any software
maintainer makes me wary of starting to write a patch for 4880bis right now.

openpgp mailing list

<Prev in Thread] Current Thread [Next in Thread>