atom at suspicious.org
Sat May 15 07:51:07 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 14 May 2004, David Shaw wrote:
> On Fri, May 14, 2004 at 12:30:34AM -0400, Atom 'Smasher' wrote:
> > 1) if a cert-policy-url is specified (in the config file), policy URLs are
> > added even to keybinding signatures. this does not appear to be a
> > violation of rfc2440, but it does seem weird.
> This is intentional. Both notations and policy URLs can be attached
> to self-sigs. Notations clearly need to be applied to self-sigs, but
> the idea was that self-sigs may well have a policy they are issued
> under as well.
ok... that makes sense.
> I'm certainly open to discussing it. I'm somewhat allergic to adding
> yet-another-option, but it is true that the notations that people
> attach to self-sigs are not necessarily the same notations that people
> attach to sigs on other keys.
i can understand your aversion to more adding features. this probably
doesn't need (yet another) feature, just more documentation. your
explanation (above) is reasonable; i just wasn't expecting the
behavior... i was a surprised to find the policy in the subkeys.
without the need to add new features, it can just be documented that one
might desire to generate a primary key with one policy-url, and then edit
the key to add a subkey with (or without) a different policy-url.
> > 2) if a subkey has it's expiration date updated (to generate a new
> > keybinding signature) with no policy-url specified or a different
> > policy-url, the old policy-url remains intact. there appears to be no
> > simple way to either change or get rid of a bad policy-url from a
> > keybinding signature.
> Currently you can't. Probably the policy URL should disappear when
> the sig is remade. I need to think about this some more.
a policy URL could point to an dead domain, or be otherwise obsolete...
there should be a (simple) way to update (or delete) a policy-url when
regenerating a keybinding signature.
i haven't played with notations in this regard, but i think the same logic
applies... i don't know if the same problems apply.
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
"I don't care what the facts are."
-- President George Bush 1988
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures
-----END PGP SIGNATURE-----
More information about the Gnupg-devel