Re: Timestamp and 3rd party sig

hal@finney.org ("Hal Finney") Mon, 17 July 2006 17:32 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G2WxW-0007Up-65 for openpgp-archive@lists.ietf.org; Mon, 17 Jul 2006 13:32:42 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G2WxU-0002QE-RB for openpgp-archive@lists.ietf.org; Mon, 17 Jul 2006 13:32:42 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k6HGcZtX055936; Mon, 17 Jul 2006 09:38:35 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k6HGcZWV055935; Mon, 17 Jul 2006 09:38:35 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k6HGcY4O055928 for <ietf-openpgp@imc.org>; Mon, 17 Jul 2006 09:38:35 -0700 (MST) (envelope-from hal@finney.org)
Received: by finney.org (Postfix, from userid 500) id 771E657FD1; Mon, 17 Jul 2006 08:32:54 -0700 (PDT)
To: ietf-openpgp@imc.org
Subject: Re: Timestamp and 3rd party sig
Message-Id: <20060717153254.771E657FD1@finney.org>
Date: Mon, 17 Jul 2006 08:32:54 -0700 (PDT)
From: hal@finney.org ("Hal Finney")
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab

Daniel A. Nagy writes:
> Since I am currently implementing an OpenPGP compliant timestamping service,
> I would like to solicit opinions on the issue even without suggesting
> immediate changes to the standard. In particular, I would like to know how
> various implementations treat 0x40 signatures when encountering them during
> signature verification?

Looking at the commercial PGP parsing code, it doesn't look like it
will handle these signatures very well if they occur in a document.
In a key ring I think it will just ignore them, but in a document it
only expects type 0 or 1 signatures.  Anything above that is assumed
to be a key signature, in the document parsing code, and it will divert
to the key signature parsing code; but it does not expect to find a key
signature except following other key ring packets.  So it will trigger
a parsing error and the message will be rejected as malformed.

This code has worked like this for a number of years so there is probably
a substantial installed base.

Hal Finney