Problem with faked-system-time option

Werner Koch wk at gnupg.org
Mon Jun 27 15:05:35 CEST 2011


On Thu, 16 Jun 2011 15:58, dshaw at JABBERWOCKY.COM said:

> key signature mean?  Unless it's marked critical, the web of trust
> code in both GPG and PGP will treat those signatures as fully
> qualified ones and not just timestamp-only, yet if it is marked

This is why one should use a separate key for a timestamping service.  I
still fail to understand the use case for a timestamp-only key
signature.

> In this particular case, people seem to want a notation under the
> gnupg.org domain, arguing that it will be more likely to be adopted as
> the gnupg.org domain lends some cachet.  I don't agree with that, but
> don't care enough to argue it.

That's fine and easy to implement - i.e we don't need anything to
implement and don't change any code.  Notations are fully supported by
gpgme and thus applications may cope with them as they need.

If the idea is that those timestamping-only key signatures have some
effect on the WoT, I doubt that we want to support them.

> In terms of the second part, GPG itself, I don't yet see a need for
> any code change, which will have to be written and then maintained in
> the code (semi-)indefinitely.  Perhaps I'm cynical, but I don't really

ACK.

Let me add that I view the WoT as an entirely overrated mechanism.  It
works fine in some (maybe even only in that one hacker) communities but
for the broad mass of users (if they will ever adopt OpenPGP) it is
irrelevant.  Far too complex.  If the WoT would be used like X.509 is
used by web browsers, we would soon get all the same usual problems as
with all global PKIs.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list