Third-Party Confirmation signature?

[Ángel]

On 2019-07-09 at 15:55 -0500, Daniel Roesler via Gnupg-users wrote:
> While adding the ability for 0x50 signatures would be nice, I would
> still like to explore ways of users self-limiting signatures within
> the existing gpg command line, since most users will be just using
> whatever version is in their operating system repo or whatever version
> they downloaded at the time of installation.


We are currently in a catch-22 situation, where neither clients nor
keyservers support such confirmation signatures.

However, clients will eventually update, while we will be stuck  forever
supporting whatever format is devised. I think it's more important to
define the right packets, based on packet semantics and also for
performing on-the-fly validation.

The users will need an updated software for making a confirmation
signature anyway (even if it's just an extra shell script over gpg1), I
see little hassle in requiring gpg >= 2.2.18 instead. Specially taking
into account that receiving new (legitimate) sigs is an uncommon event.
It wouldn't be that bad if someone had to use a LiveCD in order to
incorporate a new signature, just as you may need to use a certification
key which you usually keep offline.
(It would be good if this prompted them to update their day-to-day
client, though)

Please go for the best solution in the longterm, not just the one which
is easiest to support with ancient clients for the sake of it.


Kind regards


PS: This is not an endorsement of one type over the other, I haven't
evaluated the merits of either option (yet).