--raw-sign, --raw-verify

David Shaw dshaw at jabberwocky.com
Sun Apr 9 23:08:49 CEST 2006


On Sat, Apr 08, 2006 at 06:37:39PM -0400, Anthony Carrico wrote:
> On Fri, Apr 07, 2006 at 10:16:49PM -0400, David Shaw wrote:
> > The main problem I have with raw signatures is nicely stated in this
> > documentation: it's not OpenPGP.  GnuPG (1.4, anyway) is an OpenPGP
> > tool.  It seems out of scope for it to support something other than
> > OpenPGP.
> 
> People make an investment when they exchange keys to build an identity
> with OpenPGP. It makes sense to capitalize on that investment when an
> application uses same algorithm, but not the same syntax. The
> alternative is a proliferation of separate key infrastructures--surely
> a bad thing. From this perspective, the focus of the proposed patch
> really is on OpenPGP.

My concern is not about doing this with OpenPGP keys or not.  I think
that's a fine idea.  My concern is doing this in GnuPG, specifically.
These signatures would not be OpenPGP signatures.

We have seen in the past few months two different signature flaws in
GnuPG, in part caused by lenient parsing of signature data.  I
question whether GnuPG, an OpenPGP tool, should grow the cabability of
making and issuing non-OpenPGP signatures in a non-standard way.

To be sure, GnuPG is free software.  You have the ability to do
whatever you like with it, and that's a good thing.  My argument is
against accepting this feature into the main GnuPG code base where it
would need to be maintained for all, but used by very few.

David



More information about the Gnupg-devel mailing list