Problem with faked-system-time option
jerome at jeromebaum.com
Thu Jun 16 01:19:03 CEST 2011
>>> Out of curiosity, as long as we're talking about things that current code will reject, does the 0x50 signature meet the semantics desired here? This all sounds vaguely notary-like ("I saw this document on such-and-such date") to me, and the intent of 0x50 is a notary signature. The nice thing about a 0x50 signature is that it is a signature on a signature, so the timestamp service doesn't need to see the document - just the (detached) signature.
>> My understanding of a notary's job would include "I trust this key to
>> be valid, in possession only of the person named in the uid, while
>> that person was in sufficient mental state, not being threatened at
>> gun-point, ..."
> The 0x50 signature should not be interpreted as the output of a real-world notary
Who says that?
> OpenPGP calls this signature a "Third-Party Confirmation signature". It is merely a signature on a signature for whatever purpose is desired by the signer.
So, is it interpretation-dependent?
>> -- why should we use a signature type that could be
>> misinterpreted, when there is a "timestamp" signature type that fits
>> our needs exactly?
> Because as already noted, the 0x40 signature is not fully specified in the standard. There is not enough information to know how to generate one.
Looking at <http://tools.ietf.org/html/rfc4880>:
1. Referring to 0x50: "It is analogous to a notary seal on the signed
data." -- see my problem with that above.
2. If the issue is "text vs. binary", § 5.2.1 ("Signature Types")
seems to suggest all signatures besides 0x01 are binary.
3. If the issue is "what do we sign (data vs. another signature)?", I
would say it depends what you're trying to do: Are you asserting that
you saw the signature, or are you asserting that you saw the data?
email jerome at jeromebaum.com
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
More information about the Gnupg-users