cert-policy-url

Atom 'Smasher' atom at suspicious.org
Sat May 15 07:51:07 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 14 May 2004, David Shaw wrote:
> On Fri, May 14, 2004 at 12:30:34AM -0400, Atom 'Smasher' wrote:

> > 1) if a cert-policy-url is specified (in the config file), policy URLs are
> > added even to keybinding signatures. this does not appear to be a
> > violation of rfc2440, but it does seem weird.
>
> This is intentional.  Both notations and policy URLs can be attached
> to self-sigs.  Notations clearly need to be applied to self-sigs, but
> the idea was that self-sigs may well have a policy they are issued
> under as well.
=========================

ok... that makes sense.


> I'm certainly open to discussing it.  I'm somewhat allergic to adding
> yet-another-option, but it is true that the notations that people
> attach to self-sigs are not necessarily the same notations that people
> attach to sigs on other keys.
============================

i can understand your aversion to more adding features. this probably
doesn't need (yet another) feature, just more documentation. your
explanation (above) is reasonable; i just wasn't expecting the
behavior... i was a surprised to find the policy in the subkeys.

without the need to add new features, it can just be documented that one
might desire to generate a primary key with one policy-url, and then edit
the key to add a subkey with (or without) a different policy-url.


> > 2) if a subkey has it's expiration date updated (to generate a new
> > keybinding signature) with no policy-url specified or a different
> > policy-url, the old policy-url remains intact. there appears to be no
> > simple way to either change or get rid of a bad policy-url from a
> > keybinding signature.
>
> Currently you can't.  Probably the policy URL should disappear when
> the sig is remade.  I need to think about this some more.
================================

a policy URL could point to an dead domain, or be otherwise obsolete...
there should be a (simple) way to update (or delete) a policy-url when
regenerating a keybinding signature.

i haven't played with notations in this regard, but i think the same logic
applies... i don't know if the same problems apply.


 	...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
 -------------------------------------------------

	"I don't care what the facts are."
		-- President George Bush 1988
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -  http://atom.smasher.org/links/#digital_signatures

iEYEARECAAYFAkClr9EACgkQnCgLvz19QePiHgCfeaAFPu1/VJgddCWduXUp7FXn
8AoAn0Jm18q8XVzfM/XyQgo9oCBd8ReZ
=M64c
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list