[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PoP & Signer's User ID subpacket?
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, Jul 14, 2003 at 02:07:27AM -0400, David Shaw wrote:
> On Sun, Jul 13, 2003 at 11:37:24PM -0400, Michael Young wrote:
> > "David Shaw" <dshaw@xxxxxxxxxxxxxxx> writes:
> > > The only thing that really troubles me about the idea is that it
> > > raises problems for the (legal, to my reading of 2440) encrypt-only v4
> > > key.
> > This doesn't trouble me... I strongly believe that we should
> > remove the loophole that allows encrypt-only top-level v4 keys,
> > for exactly this reason. (I was astounded when David pointed out
> > the seemingly permissive language in another forum.)
> Just so we're all clear, Michael and I had been discussing the
> legality of a v4 encrypt-only primary WITHOUT any subkeys. An
> encrypt-only key WITH subkeys is clearly forbidden in 2440 both
> implicitly (an encrypt-only primary key could not issue the
> non-optional subkey binding signatures) and explicitly ("In a key that
> has a main key and subkeys, the primary key MUST be a key capable of
> This is just a primary key that happens to be of an encrypt-only
> algorithm (presumably #16, since there is no way to express an
> encrypt-only primary key with algorithm #1 (you would need to use #2,
> which is deprecated)).
I should add, though, that I don't really understand the objection to
an encrypt-only primary. OpenPGP is a collection of various tools
that can be combined in different ways for different uses. Some
combinations are more useful than others, and some make no sense, but
I don't see why (in the absence of an actual problem) one particular
combination should be considered a "loophole" and removed.
Do I strongly care about encrypt-only primaries in particular? Not
really. I do care about clean design, though, and adding a special
additional "no encrypt-only primaries" rule on top of the current
clean primary/subkey design seems without clear benefit.
Can you explain what troubles you about encrypt-only primaries?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
-----END PGP SIGNATURE-----