per-user data signatures [was: Re: multiple keys vs multiple identities]
David Shaw
dshaw at jabberwocky.com
Fri Sep 24 17:53:17 CEST 2010
On Sep 24, 2010, at 11:23 AM, Daniel Kahn Gillmor wrote:
> On 09/24/2010 10:30 AM, Simon Richter wrote:
>> Of course. I was talking about data signatures, i.e. "I'm signing this
>> with my work hat on".
>
> ah, gotcha. sorry for the misunderstanding.
>
>> The main use case I have is my Debian work -- when I sign a .changes
>> file, the Debian archive will accept it, even if the package in question
>> was really intended for another repository (where I use the same key for
>> authentication).
>>
>> As my main key is well-established in the WoT, I'd like to use the
>> existing connections to get a trust path; however using the key directly
>> leads to the problem that the signature can be interpreted in multiple
>> ways.
>
> yeah, this makes sense. in the context of debian packaging, the
> material signed is relevant. if your changelog says "unstable" then
> debian will accept it. if you're uploading it to some other repo, that
> repo would presumably be named something other than "unstable".
>
> fwiw, it wouldn't be difficult to propose such a notation, and it should
> be possible to implement it quickly in debsign using gpg's --set-notation.
There is actually a defined field for this in OpenPGP (see section 5.2.3.22, Signer's User ID). I don't think anyone implements it though.
> However, testing right now, it doesn't seem to work with gpg for regular
> data signatures:
>
> echo test | gpg --sign --set-notation 'test at example.org=test' | \
> gpg --list-packets
>
> does not show the notation :(
It works for me. I even cut and paste your exact command line.
hashed subpkt 20 len 28 (notation: test at example.org=test)
David
More information about the Gnupg-users
mailing list