automated userid certifications

Jason Harris
Sun Oct 27 16:10:02 2002

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Oct 26, 2002 at 08:07:40AM -0400, David Shaw wrote:
> On Sat, Oct 26, 2002 at 11:13:53AM +0200, Werner Koch wrote:
> > On Fri, 25 Oct 2002 19:22:46 -0400, David Shaw said:
> >=20
> > > I'd rather use 0x11, as a new signature class would have a serious
> > > backwards compatibility problem.  0x11 is pretty good for this
> >=20
> > Add notation data or better an policy URL to describe this
> > certification policy.
> I thought about this, but again it's a PGP problem because PGP ignores
> policy URLs :(
> I'm currently thinking about doing 0x11, a policy URL, and a policy
> URL in the (parentheses) as part of the user ID.  Cover all bases..

[Bcc'd to gnupg-users, but please continue this on keyanalyze-discuss.]

My main concern is being able to detect certifications only on email
addresses in the keyanalyze reports.  0x11 signatures, whether generated
by automated systems or humans, are quite easy to filter.

I already know about the Thawte Freemail program, but are there other
automated systems that have signed PGP keys (esp. enough keys to have an
effect on keyanalyze MSDs)?  Such signatures could be filtered based on
the issuing keyid.

Jason Harris          | NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it? | web:

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.0 (FreeBSD)