[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: questions: packet tag or content tag (4.3), what is placed in hashed subpacket field (5.2.3), critical bit (5.2.3.1

To: hal@xxxxxxxxxx
Subject: Re: questions: packet tag or content tag (4.3), what is placed in hashed subpacket field (5.2.3), critical bit (5.2.3.1
From: "William H. Geiger III" <whgiii@xxxxxxxxxxx>
Date: Tue, 23 May 2000 07:29:01 -0500
Cc: ietf-openpgp@xxxxxxx, sen_ml@xxxxxxxxxxx
In-reply-to: <200005221536.IAA01210@xxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx

In <200005221536.IAA01210@xxxxxxxxxx>, on 05/22/00 
   at 09:36 AM, hal@xxxxxxxxxx said:

>> so is the signing key id the only subpacket that is allowed to go in
>> the unhashed area?

>No, anything which might reasonably be considered to be "advisory" and
>not security critical could go there.  For example the URL where the cert
>can be found.  I don't know if there is an exhaustive list. The point is
>that the software needs to be aware that material in the unhashed region
>is not authenticated and could have been tampered with.

>> also, for a given subpacket type, can instances of
>> that subpacket appear in either the hashed subpacket field or the
>> unhashed subpacket field, or is it a mutually exclusive situation?

>I don't see any problem in allowing that.

As an open question to list members:

What do you consider the proper response of OpenPGP software (client &
server) when an established key (ie a key on the server or users keyring)
is "updated" and unhashed data has been changed?

Take the example:

Software A lets the user enter on his key the prefered URL to obtain his
key on the self-sig for his key and the software stores it in an unhashed
subpacket.

The user distributes his key (other users, servers, ...ect).

Software A also allows the user to change this at a later date without
creating a new signature.

The user distributes this "updated" key.

How should the receiving software treat this "updated" data?

-- Ignore the "new" data

-- Accept the "new" data in place of the old data

-- Notify the receiver that there is "new" data and let him decide

-- ....?

-- 
---------------------------------------------------------------
William H. Geiger III      http://www.openpgp.net  
Geiger Consulting    

Data Security & Cryptology Consulting
Programming, Networking, Analysis
 
PGP for OS/2:               http://www.openpgp.net/pgp.html
E-Secure:                   http://www.openpgp.net/esecure.html
---------------------------------------------------------------

Follow-Ups:
- Re: questions: packet tag or content tag (4.3), what is placed in hashed subpacket field (5.2.3), critical bit (5.2.3.1
  - From: sen_ml

References:
- Re: questions: packet tag or content tag (4.3), what is placed in hashed subpacket field (5.2.3), critical bit (5.2.3.1), default user id (5.2.3.3)
  - From: hal

Prev by Date: Re: PGP/MIME: Time for last call?
Next by Date: Re: minor typos/points?
Previous by thread: Re: questions: packet tag or content tag (4.3), what is placed in hashed subpacket field (5.2.3), critical bit (5.2.3.1), default user id (5.2.3.3)
Next by thread: Re: questions: packet tag or content tag (4.3), what is placed in hashed subpacket field (5.2.3), critical bit (5.2.3.1
Index(es):
- Date
- Thread