Re: [openpgp] 1PA3PC: first-party attested third-party certifications (m

Hi,

your idea is similar to what I had in mind and recently talked about
with Kristian.  I have some remarks so:

Putting this into a standard-self signature is troublesome because this
requires to update and distribute the self-signature as soon as one
uploads to a keyserver.

We need to have a way do include more key signatures.  This can easily
be done with several of such self-signatures using the same creation
date or another mechanism to connect them. An upper limit on the number
of such self-signatures may be suggested in the implementation nits.

The requirement to sort the hashes is not really helpful because that
requires that the implementation must check the order and decide what to
do if they are not sorted. In practice the implementation will sort them
anyway (in particular if several self-signatures are required).  It
should also be up to the implementation on how to match them.

To accomplish this a new signature-class can be used just for this
purpose.  The subpacket definition should include a version number or
digest algorithm to be future prove.  We should of course use SHA-256
and not SHA-512.

| #### Attested Certifications
| 
| (1 octet with version number,
|  N octets of certification digests)
| 
| The version octet MUST be 1 and the certification digests consists of
| an array of 32 octets of a SHA-256 digest, each.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp