On Fri, 11 Dec 2020 10:01:49 +0100,
Wiktor Kwapisiewicz wrote:
On 11.12.2020 09:34, Neal H. Walfield wrote:
One thing to be aware of: the subpacket areas can only hold 64kb of
data. So, you really should minimize the certificate.
Minimizing the certificate is actually a good idea regardless of the
certificate transport method (Autocrypt header, signature subpacket,
notation etc.).
I agree that when we need to optimize for space, data whose utility in
the particular context is zero or less should be stripped.
It would be good to specify what actually would that minimized cert
contain. I think the primary key + valid encryption subkey + signing
key that signed the e-mail + User ID of the sender which contains
their e-mail address (or the primary one if there is no better match)
would constitute the minimal set. Of course clients on the receiving
side should properly merge the cert with what they already have (*not*
replace it).
I think over specifying is bad, because what is useful is context
dependent. Should I be forbidden from including third-party
certificates? What if I suspect that one of them would allow you to
authenticate my certificate? What if I have per-device encryption
subkeys and I know that your implementation will encrypt to them all,
like Open Keychain? Do I have to choose one?
:) Neal
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp