timestamp (0x40) signatures?
David Shaw
dshaw@jabberwocky.com
Mon Mar 4 16:14:01 2002
On Sun, Mar 03, 2002 at 01:47:07PM +0100, Werner Koch wrote:
> On Sun, 3 Mar 2002 00:28:11 +0100 (MET), Rick van Rein said:
>
> > I just noticed that GnuPG is not willing to parse a timestamp signature
> > that follows RFC 2440 properly. In the source I did not find it either,
> > so that makes sense. Shall I make a patchit, or is there a reason not to?
>
> Please send me such a signature so that I can write a test case. For
> larger patches we need papers (> ~10 lines total), so it might be
> easier if we write it.
It's an interesting question as to just what an 0x40 signature is.
RFC 2440 defines it as a "timestamp" signature, but does not really
define what it is a signature on (if anything). RFC 1991 goes into
more detail and defines it as a signature on a signature, which is
more useful - this is the idea of a notary for PGP, which proves that
a key owner saw a signature and gives this new signature as proof. Of
course, 2440 replaces 1991, so who knows?
If all that is wanted here is a straight standalone timestamp, then
the 0x02 signature (standalone signature over an empty document) would
be more appropriate. I actually have the code for this ready, but I
wasn't planning on checking it in so as to help freeze this version.
Werner, I can check it in if you want. :)
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson