cert-policy-url
David Shaw
dshaw at jabberwocky.com
Sat May 15 03:06:19 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, May 14, 2004 at 12:30:34AM -0400, Atom 'Smasher' wrote:
> two weird things about "cert-policy-url" (1.2.4)....
>
> 1) if a cert-policy-url is specified (in the config file), policy URLs are
> added even to keybinding signatures. this does not appear to be a
> violation of rfc2440, but it does seem weird.
This is intentional. Both notations and policy URLs can be attached
to self-sigs. Notations clearly need to be applied to self-sigs, but
the idea was that self-sigs may well have a policy they are issued
under as well.
I'm certainly open to discussing it. I'm somewhat allergic to adding
yet-another-option, but it is true that the notations that people
attach to self-sigs are not necessarily the same notations that people
attach to sigs on other keys.
> 2) if a subkey has it's expiration date updated (to generate a new
> keybinding signature) with no policy-url specified or a different
> policy-url, the old policy-url remains intact. there appears to be no
> simple way to either change or get rid of a bad policy-url from a
> keybinding signature.
Currently you can't. Probably the policy URL should disappear when
the sig is remade. I need to think about this some more.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6-cvs (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
iHEEARECADEFAkClbQsqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk
L2tleXMuYXNjAAoJEOJmXIdJ4cvJwVkAoNRGyUwbe+oiS/9uAG4mcXGAOhxFAJ9h
dVBmcMEZd9AmLjgtpuF0sowTtw==
=EzrU
-----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list