[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RFC2440 and issuer ID sub-packet




>From RFC2440:

        5.2.3.3. Signature creation time

                 (4 octet time field)
                 The time the signature was made.
                  MUST be present in the hashed area.

(note the MUST)

        5.2.3.4. Issuer

                 (8 octet key ID)
                  The OpenPGP key ID of the key issuing the signature.

(note the lack of any advice on whether the subpacket is mandatory or
optional)

        
        5.2.4.1. Subpacket Hints

        An implementation SHOULD put the two mandatory subpackets,
        creation time and issuer, as the first subpackets in the
        subpacket list, simply to make it easier for the implementer to
        find them.

The fact that the issuer is mandatory should be reflected by a "MUST" in
5.2.3.4 as/when RFC2440 is updated.

As it happens, PGP6.5 is capable of creating keys without an issuer at
all (the example I have is of a X.509 certificate wrapped by a PGP key).
This is sufficient to break the standard public-key server software -
openPGP vendors may like to check their code too!

The fact that PGP omits the subpacket may be because of the way the
mandatory nature of this subpacket has not been sufficiently emphasised.

-- 
Ian Bell                                           T U R N P I K E  Ltd