Re: Signer's User ID

[David Shaw <dshaw@xxxxxxxxxxxxxxx>]

On Thu, Jul 21, 2005 at 10:32:50AM +0200, Jeroen Massar wrote:
> On Thu, 2005-07-21 at 07:39 +0200, Werner Koch wrote:
> > Hello!
> > 
> > I'd like to have a clarification of the signature subpacket
> > 
> >   5.2.3.22. Signer's User ID
> 
> <SNIP>
> 
> > OTOH, for applications it makes more sense to have just the vanilla
> > mail address (mailbox@domain) here.  This would make it easier to
> > compare a mail's From address to the actual signature.
> 
> As I actually never really took time to read the full spec, I didn't
> come across of this before, but this is indeed ideal for making keys
> distributed in nature.
> 
> "Solution" for making it distributed would be:
> http://www.imc.org/ietf-openpgp/mail-archive/msg11035.html

That message suggests adding the signer's name to signatures in some
manner, and then using that to hint to the keyserver which key to
fetch when verifying a signature.  It seems a fairly roundabout way to
get a key.

Why not just do this directly?  We already have a keyserver subpacket
(24), which is an URL, so it can even point to a web page.  If a
signer wants to give "how to get my key" information in their
signature, just point to it directly.

> Question to Werner: does gnupg support the above item, if not can we add
> it, and secondly could we have gnupg then derive the keyserver from it
> as I noted before? (read: want a patch?)

GnuPG already supports what I said above.  And if you set
auto-key-retrieve, it'll even fetch the key for you automatically when
it sees a signature with such information.

David