v4 Signature Clarification Needed

[Len Sassaman]

On Tue, 8 Jan 2002, Nick Andriash wrote:

> Could someone kindly comment on the following:
>
> "OpenPGP states that an implementation should generate v4 signatures,
> but PGP 5.x recognizes v4 signatures only on key material. This option
> forces v3 signatures on data as well."

As a side note, that should actually read "PGP 5.x and 6.x recognise...".
It wasn't until 7.0 that, at my suggestion, v4 signatures on non-key
material were recognised. (Note that PGP still makes v3 signatures on
non-key material, for obvious compatability reasons.)

> Specifically, I'm having trouble grasping the concept of 'data' versus
> 'key material'. Are they saying that PGP 5.x recognises a v4 signature
> on a Key for instance, but will not recognise that same signature if
> used to clearsign a message? Can someone provide an example of each so I

Well, it wouldn't be the same signature, obviously... but yes, that's
basically what it says. If a v4 signature is made on a v4 key, PGP 5.x has
no problem reading it. If a v4 signature is made on a file, PGP will (I
believe) treat it as though it is a v3 sig, and the signature will not
verify.

> can better understand the difference between a v3 and v4 signature?

That's probably beyond the scope of this list -- check RFC 2440, or mail
me offlist if you're interested.

Note, that there are very few instances where v4 signatures on non-key
material would be useful.


--Len.