Third-Party Confirmation signature?
angel at pgp.16bits.net
Wed Jul 10 09:50:22 CEST 2019
On 2019-07-09 at 15:55 -0500, Daniel Roesler via Gnupg-users wrote:
> While adding the ability for 0x50 signatures would be nice, I would
> still like to explore ways of users self-limiting signatures within
> the existing gpg command line, since most users will be just using
> whatever version is in their operating system repo or whatever version
> they downloaded at the time of installation.
We are currently in a catch-22 situation, where neither clients nor
keyservers support such confirmation signatures.
However, clients will eventually update, while we will be stuck forever
supporting whatever format is devised. I think it's more important to
define the right packets, based on packet semantics and also for
performing on-the-fly validation.
The users will need an updated software for making a confirmation
signature anyway (even if it's just an extra shell script over gpg1), I
see little hassle in requiring gpg >= 2.2.18 instead. Specially taking
into account that receiving new (legitimate) sigs is an uncommon event.
It wouldn't be that bad if someone had to use a LiveCD in order to
incorporate a new signature, just as you may need to use a certification
key which you usually keep offline.
(It would be good if this prompted them to update their day-to-day
Please go for the best solution in the longterm, not just the one which
is easiest to support with ancient clients for the sake of it.
PS: This is not an endorsement of one type over the other, I haven't
evaluated the merits of either option (yet).
More information about the Gnupg-users