[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PoP & Signer's User ID subpacket?

To: ietf-openpgp@xxxxxxx
Subject: Re: PoP & Signer's User ID subpacket?
From: David Shaw <dshaw@xxxxxxxxxxxxxxx>
Date: Mon, 14 Jul 2003 10:49:58 -0400
Delivery-date: Mon, 14 Jul 2003 17:00:46 +0200
Envelope-to: ietf-openpgp@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <20030714060727.GA15755@xxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Mail-followup-to: ietf-openpgp@xxxxxxx
References: <20030617033611.GF20267@xxxxxxxxxxxxxxx> <Pine.LNX.4.30.QNWS.0307071533330.28776-100000@xxxxxxxxxxxxxxx> <20030713131842.GB1901@xxxxxxxxxxxxxxx> <000a01c349b9$3df43da0$c23fa8c0@xxxxxxxxxxxxxxxx> <20030714060727.GA15755@xxxxxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Mutt/1.5.4i

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jul 14, 2003 at 02:07:27AM -0400, David Shaw wrote:
> On Sun, Jul 13, 2003 at 11:37:24PM -0400, Michael Young wrote:
> > 
> > "David Shaw" <dshaw@xxxxxxxxxxxxxxx> writes:
> > > The only thing that really troubles me about the idea is that it
> > > raises problems for the (legal, to my reading of 2440) encrypt-only v4
> > > key.
> > 
> > This doesn't trouble me... I strongly believe that we should
> > remove the loophole that allows encrypt-only top-level v4 keys,
> > for exactly this reason.  (I was astounded when David pointed out
> > the seemingly permissive language in another forum.)
> 
> Just so we're all clear, Michael and I had been discussing the
> legality of a v4 encrypt-only primary WITHOUT any subkeys.  An
> encrypt-only key WITH subkeys is clearly forbidden in 2440 both
> implicitly (an encrypt-only primary key could not issue the
> non-optional subkey binding signatures) and explicitly ("In a key that
> has a main key and subkeys, the primary key MUST be a key capable of
> certification.").
> 
> This is just a primary key that happens to be of an encrypt-only
> algorithm (presumably #16, since there is no way to express an
> encrypt-only primary key with algorithm #1 (you would need to use #2,
> which is deprecated)).

I should add, though, that I don't really understand the objection to
an encrypt-only primary.  OpenPGP is a collection of various tools
that can be combined in different ways for different uses.  Some
combinations are more useful than others, and some make no sense, but
I don't see why (in the absence of an actual problem) one particular
combination should be considered a "loophole" and removed.

Do I strongly care about encrypt-only primaries in particular?  Not
really.  I do care about clean design, though, and adding a special
additional "no encrypt-only primaries" rule on top of the current
clean primary/subkey design seems without clear benefit.

Can you explain what troubles you about encrypt-only primaries?

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE/EsMW4mZch0nhy8kRAhl9AKCAnW30D4l+W+pC/hhLEXs9TONulQCfeOnP
+0pShRqWTG3OCdbC42bje9U=
=iQ9h
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: PoP & Signer's User ID subpacket?
  - From: Michael Young
- Re: PoP & Signer's User ID subpacket?
  - From: Michael Young

References:
- Re: PoP & Signer's User ID subpacket?
  - From: Len Sassaman
- Re: PoP & Signer's User ID subpacket?
  - From: David Shaw
- Re: PoP & Signer's User ID subpacket?
  - From: Michael Young
- Re: PoP & Signer's User ID subpacket?
  - From: David Shaw

Prev by Date: Re: PoP & Signer's User ID subpacket?
Next by Date: Re: PoP & Signer's User ID subpacket?
Previous by thread: Re: PoP & Signer's User ID subpacket?
Next by thread: Re: PoP & Signer's User ID subpacket?
Index(es):
- Date
- Thread