Third-Party Confirmation signature?

Daniel Roesler diafygi at gmail.com
Tue Jul 9 22:55:21 CEST 2019


On Tue, Jul 9, 2019 at 2:10 PM Werner Koch <wk at gnupg.org> wrote:

> The problem I see is that the keyservers need to check the validity of
> the 0x50 signature first.  Only this will allow them to distribute only
> key-signatures which have veen approved buy the key owner.

Correct, a keyserver would need to validate signatures before
including them in the public API. However, when gossiping with peers,
they could still included the hashes of non-verified signatures so
they stay in sync with each other.

> If that has been achieved we can quickly add the required feature to
> gpg.

While adding the ability for 0x50 signatures would be nice, I would
still like to explore ways of users self-limiting signatures within
the existing gpg command line, since most users will be just using
whatever version is in their operating system repo or whatever version
they downloaded at the time of installation.

So it seems like Notation Data subpackets may be the way to go instead
of 0x50 Third-Party Confirmation signatures, since notations can be
added in the existing gpg edit-key interface.

I'll begin playing around with this interface to see what kind of user
experience is possible.

Thanks for the prompt responses!
Daniel



More information about the Gnupg-users mailing list