Hi OpenPGP folks--
in https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/43 and
https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/25 vanitasvitae
suggests that the structure for OpenPGP certificates (aka "Transferable
Public Keys", aka "keyblocks") is wrong. He recommends this change:
--- a/crypto-refresh.md
+++ b/crypto-refresh.md
@@ -2914,8 +2914,8 @@ The format of an OpenPGP V4 key that uses multiple public
keys is similar except
User ID [Signature ...]
[User ID [Signature ...] ...]
[User Attribute [Signature ...] ...]
- [[Subkey [Binding-Signature-Revocation]
- Primary-Key-Binding-Signature] ...]
+ [[Subkey [Binding-Signature-Revocation ...]
+ Subkey-Binding-Signature ...] ...]
A subkey always has a single signature after it that is issued using the
primary key to tie the two keys together.
This binding signature may be in either V3 or V4 format, but SHOULD be V4.
There are two things happening here:
- the binding signature is correctly identified as a
Subkey-Binding-Signature, not a Primary-Key-Binding-Signature. (the
primary-key-binding signature (the "cross-sig") is, where
appropriate, expected to be embedded in the subkey-binding-signature
itself)
- there can be more than one binding sig revocation, and more than one
subkey binding signature
This matches my understanding of how OpenPGP certificates are
structured, and I believe most implementations work this way.
I've opened
https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/52
to request a test for this, but it may not be necessary if the WG has
consensus that this is correct.
I note that if the change in the structure is correct, then the text
below it should also be changed (it should not say "has a single
signature after it…")
--dkg
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp