Re: PoP & Signer's User ID subpacket?

[David Shaw <dshaw@xxxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jun 17, 2003 at 10:13:58AM -0400, Derek Atkins wrote:
> David Shaw <dshaw@xxxxxxxxxxxxxxx> writes:
> 
> > Yes.  Hal suggested something similar, but to have the signing subkey
> > certify the primary.
> 
> That's not sufficient..  We need both signature keys to cross-certify.
> The attack without cross-certification is that I could generate a
> signing key and then certify that it's a signing subkey of
> president@xxxxxxxxxxxxxxx

Sorry, I wasn't clear.  I should have said "... in addition to the
current subkey certification from the primary".

> > Does anyone have any thoughts on the details of this?  We already have
> > all the parts needed to have a signing subkey certify the primary
> > (just have the subkey issue a 1F signature).  I like your suggestion
> > to put it in the subkey self-signature since that will avoid the
> > inevitable messiness when a subkey is deleted, but leaves behind the
> > 1F signature.  Putting it in the subkey self-signature keeps things
> > neat.
> 
> I think this is exactly where a notary-style double-signature is
> useful (and should be required as a MUST).

So, the primary signs the subkey as before and then the subkey
notarizes (0x50 sig) this signature?  That sounds good, but we'll end
up with two signature packets after the signing subkey.  I'm afraid it
would be likely to confuse pre-2440bis implementations which don't
expect to see that extra signature there.

If we put the subkey-on-primary signature IN the original
primary-on-subkey signature (as a new subpacket), then it won't break
older implementations.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE+7yeb4mZch0nhy8kRAlA5AJ4/ISSYODKaqfddnrTshij3wdCIwgCgkDlv
nJ7Tnd18mVYhmWpeltpcE1M=
=6y3m
-----END PGP SIGNATURE-----