At Fri, 31 May 2019 09:42:21 +0200,
Vincent Breitmoser wrote:
However, despite this flexibility, there are shortcomings for the use case of
distributing these updates in a privacy-preserving way:
1. A TPK must consist of a primary key, followed by at least one UserID.
Strictly speaking there doesn't have to be a signature on that User ID, but in
practice OpenPGP implementations commonly consider TPKs that carry no UserID
(or
no signed UserID) as invalid.
My understanding is that this restriction has been lifted from 4880bis
for V4 keys. Specifically, Section 12.1 now makes User IDs optional:
Primary-Key
[Revocation Self Signature]
[Direct Key Signature...]
[User ID [Signature ...] ...]
https://datatracker.ietf.org/doc/draft-ietf-openpgp-rfc4880bis/?include_text=1
Whereas in 4880, this reads:
Primary-Key
[Revocation Self Signature]
[Direct Key Signature...]
User ID [Signature ...]
[User ID [Signature ...] ...]
https://tools.ietf.org/html/rfc4880#section-12.1
As I understand it, this change comes from merging
draft-atkins-openpgp-device-certificates, which says:
The description in RFC 4880 requires a User ID. Implementors of
this specification can loosen that requirement such that an
augmented V4 device certificate looks like the following sequence
(no longer requiring a User ID packet):
https://datatracker.ietf.org/doc/draft-atkins-openpgp-device-certificates/?include_text=1,
:) Neal
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp