I've been reading through a lot of this documentation and I like the idea of
whatever we want to call them.
I also think I agree that they'd be better as User Attributes than notations.
Notations are supposed to be an analogue to X.509v3 extensions; they are a way
to write arbitrary, free-form data into a signature (and thus a certification).
The name is significant. A signer makes a signature, and puts notes into that
signature to express or clarify what the signature means.
In contrast, a User Attribute is the generalization of a User ID. It says "this
key speaks for <ID>" whether that ID is an email address, etc. and then various
keys make certification signatures stating that they agree with that.
So it seems to me that the proper syntax to do this within the structure of
OpenPGP would be to have the statement be in a User Attribute, and then
concurring keys certify that, possibly with notations.
I can think of another utterly different syntax, though, that would be similar
to what Vinnie Moscaritolo and Tony Mione did in "PGP Tickets" which you can
find as an I-D at
<https://tools.ietf.org/html/draft-moscaritolo-mione-pgpticket-03>.
The idea here would be that it would be like an Attribute Certificate, or a
capability. It would permit (e.g.) a sysadmin to be able to say that the holder
of a key is the owner of a file path on a server. (Vinnie wrote software for
this exact case. You could sign in to a file server with an OpenPGP key and the
ticket could describe what authorizations you had.)
I don't think this is exactly what you want, but it's close. An advantage of
the ticket approach is that you don't need anyone's permission to do it. It
could literally be a bit of defined YAML or JSON that you clear-sign as text,
and then poof, you're done. You don't have to listen to any of us give helpful
comments about what you want to do, you just do it.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp