Re: PoP & Signer's User ID subpacket?

[Trevor Perrin <trevp@xxxxxxxxx>]

At 08:30 AM 6/17/2003 -0400, David Shaw wrote:

> On Mon, Jun 16, 2003 at 09:47:59PM -0700, Trevor Perrin wrote:
> > [...]
> > The problem is that there's a forward-linkage from a primary key to a
> > subkey, but no back-linkage from a signing subkey to the primary key.  Hal
> > suggested having the signing subkey also certify the primary key.  I
> > suggested having the signatures produced by the signing subkey have the
> > primary key's ID as a hashed subpacket.
>
> Yes.  There are pros and cons, but on balance I like Hal's solution a
> bit better as it only needs to be done once, presumably at key
> generation time.  The subpacket solution needs to be done every time
> the signing subkey issues a signature.
>
> The subpacket solution does have a nice side effect in that it becomes
> possible to always know the primary key when looking at a subkey
> signature.  Since most keyservers don't support search-by-subkey yet,
> this could be handy. [...]

Another slight advantage is that the relying party doesn't have to verify 
an extra signature.  Also, pre-existing keys with signing subkeys wouldn't 
have to be modified, they could just start issuing signatures with this new 
subpacket.  (On the other hand, with the solution you and Hal advocate, if 
you *do* modify the key by adding a back-signature, then pre-existing 
message signatures can take advantage of it, so maybe this is a wash).

Either solution seems fine.  You also mentioned requiring self-signatures 
on user IDs, which seems like a good thing to insist on, and pretty much 
takes care of the proof-of-possession concern I was raising, I think.

Trevor