timestamp (0x40) signatures?

David Shaw dshaw@jabberwocky.com
Mon Mar 4 16:14:01 2002


On Sun, Mar 03, 2002 at 01:47:07PM +0100, Werner Koch wrote:
> On Sun, 3 Mar 2002 00:28:11 +0100 (MET), Rick van Rein said:
> 
> > I just noticed that GnuPG is not willing to parse a timestamp signature
> > that follows RFC 2440 properly.  In the source I did not find it either,
> > so that makes sense.  Shall I make a patchit, or is there a reason not to?
> 
> Please send me such a signature so that I can write a test case.  For
> larger patches we need papers (> ~10 lines total), so it might be
> easier if we write it.

It's an interesting question as to just what an 0x40 signature is.
RFC 2440 defines it as a "timestamp" signature, but does not really
define what it is a signature on (if anything).  RFC 1991 goes into
more detail and defines it as a signature on a signature, which is
more useful - this is the idea of a notary for PGP, which proves that
a key owner saw a signature and gives this new signature as proof.  Of
course, 2440 replaces 1991, so who knows?

If all that is wanted here is a straight standalone timestamp, then
the 0x02 signature (standalone signature over an empty document) would
be more appropriate.  I actually have the code for this ready, but I
wasn't planning on checking it in so as to help freeze this version.

Werner, I can check it in if you want. :)

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson