New user needs some help
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jun 6 19:22:09 CEST 2014
On 06/06/2014 12:46 PM, Cpp wrote:
> Alright, thanks for elaborating it. Does this mean that the notation
> (the "sig-notation issuer-fpr at notations.openpgp.fifthhorseman.net=%g"
> line) is final, and is not going to change in the future?
I don't know if anyone is going to introduce another extension with
roughly the same semantics in the future. It also seems likely that
future revisions of OpenPGP (OpenPGPv5, though that may take years) will
change the issuer-keyID subpacket to just include the full fingerprint
(there might also be a different fingerprint mechanism by that point).
Anyway, this is the only currently proposed mechanism to provide this
information -- and no one else has suggested an alternative that i have
seen.
> I noticed that GnuPG also offers a "cert-notation" option - should
> this be set too or can I safely omit it?
>
> dkg: I have no idea what the answers should be. But guessing I'd just
> put the second answer as "cert-notation
> issuer-crt at notations.openpgp.fifthhorseman.net=%g" though I'm unsure
> whether the presence of cert-notation it is necessary.
If you're going to use the cert-notation, i think you'd want to use the
exact same name -- the point is that the label offers the full
fingerprint of the issuer, so changing it from issuer-fpr to issuer-crt
doesn't seem like a good idea.
So, should you include this notation in your certifications as well as
your data signatures? The use cases i tend to see for ambiguity in data
signatures (e.g. "e-mail signature can't be validated, but we do not
know whether that is because we have the wrong key or we have a bad
signature") seem different in how they're presented to the user from the
way that unverifiable certifications are presented.
In particular, only fully-verified certifications should ever be used by
certification-checking mechanisms, and those that fail to verify should
probably be ignored, whether it's because they were bad, or because they
are from an unknown key.
what do other folks think? would this distinction be useful in
certifications?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140606/41f17171/attachment.sig>
More information about the Gnupg-users
mailing list