per-user data signatures [was: Re: multiple keys vs multiple identities]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Sep 24 17:23:01 CEST 2010


On 09/24/2010 10:30 AM, Simon Richter wrote:
> Of course. I was talking about data signatures, i.e. "I'm signing this
> with my work hat on".

ah, gotcha.  sorry for the misunderstanding.

> The main use case I have is my Debian work -- when I sign a .changes
> file, the Debian archive will accept it, even if the package in question
> was really intended for another repository (where I use the same key for
> authentication).
> 
> As my main key is well-established in the WoT, I'd like to use the
> existing connections to get a trust path; however using the key directly
> leads to the problem that the signature can be interpreted in multiple
> ways.

yeah, this makes sense.  in the context of debian packaging, the
material signed is relevant.  if your changelog says "unstable" then
debian will accept it.  if you're uploading it to some other repo, that
repo would presumably be named something other than "unstable".

fwiw, it wouldn't be difficult to propose such a notation, and it should
be possible to implement it quickly in debsign using gpg's --set-notation.

However, testing right now, it doesn't seem to work with gpg for regular
data signatures:

 echo test | gpg --sign --set-notation 'test at example.org=test' | \
  gpg --list-packets

does not show the notation :(

Werner, David, is this expected behavior?  am i doing something wrong?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100924/b851f89b/attachment.pgp>


More information about the Gnupg-users mailing list