[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Requiring self-signed uids? (was Re: PoP & Signer's User ID subpacket?)
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, Jul 17, 2003 at 05:50:49PM -0400, Michael Young wrote:
> "David Shaw" <dshaw@xxxxxxxxxxxxxxx> writes:
> > So, as a solution, rather than ripping into the key construction
> > rules, why not just put in a line saying "user IDs and user attributes
> > SHOULD have a self-signature", and call it a day?
> I think it's suitably "nice" to merit "ripping into" a key construction
> rule that I have always thought was wrong. Despite your attempts to
> paint the current rule as cleaner, simpler, or more natural, I still
"Despite your attempts to paint the current rule"? Yikes. We're all
working towards the same goal here. Remember who suggested dealing
with this in 2440bis. If I liked the no-required-self-sigs status
quo, I wouldn't have brought it up.
Although it might seem I'm arguing against required self-sigs, I'm
actually fairly torn. One problem is that combining this change with
the encrypt-only key change implies a number of subtle and not so
subtle changes, and I'm not (yet) convinced that this is the right
thing to do.
I understand that you see the removal of encrypt-only keys as an
advantage (as you seem to be arguing against encrypt-only keys almost
more than you are arguing for a required self-signature), but I don't
see things that way.
Despite what I said earlier in this thread, requiring self-sigs does
not depend on removing encrypt-only keys. Since there seems to be
widespread agreement for the former, and not for the latter, perhaps
it would be better to resolve the self-sigs question and then discuss
encrypt-only keys as a suppurate issue. Discussing the two issues tied
together seems to be leading nowhere.
I propose "Self-signatures are REQUIRED for all user IDs and user
attribute IDs on any key that has a primary capable of certification".
This handles the self-sig issue without changing the key construction
rules at all.
If there is consensus on this, then a different discussion can be
opened on the matter of encrypt-only keys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
-----END PGP SIGNATURE-----