Re: [openpgp] OpenPGPv5 wish list

ianG <> Mon, 29 April 2013 09:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 437B421F9D23 for <>; Mon, 29 Apr 2013 02:40:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VRDiSZiPAMbW for <>; Mon, 29 Apr 2013 02:40:21 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9733421F9CED for <>; Mon, 29 Apr 2013 02:40:21 -0700 (PDT)
Received: from tormenta.local ( []) by (Postfix) with ESMTPSA id 200B26D4A0; Mon, 29 Apr 2013 05:40:14 -0400 (EDT)
Message-ID: <>
Date: Mon, 29 Apr 2013 12:40:14 +0300
From: ianG <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
References: <> <> <> <2584059.Q9cNNqxsta@inno> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [openpgp] OpenPGPv5 wish list
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Apr 2013 09:40:22 -0000

On 29/04/13 12:15 PM, Jean-Jacques wrote:

> 2) What is the key used for?
> And I see at least 4 purposes :
>   - To authenticate itself through TLS  [RFC6091]
>   - Maybe To sign other certificates (subkeys on smartcard issues)
>   - To authenticate through HTTP (gpgauth or
>   - To sign an OpenUDC transaction.
> I work especially on the 2 last purposes. And having the possibility
> for the owner to set descriptions, or more flags on its (sub)keys inside
> its OpenPGP certificate, would be a more elegant solution than some
> workaround we have to manage.

Some comments from my experience/perspective, only.  In my work I have 
done this by using pgp's comment field aka uid.  Here's some:

$ gpg -k | grep uid

uid                  Iang [certification] (Africa-2012) <>
uid                  Iang [contract] (lowsec-PIZZA-only) <>
uid                  Systemics [operator] (Africa-2012) <>
uid                  Systemics [server] (Babba-2012) <>
uid                  Systemics [receipt] (Babba-2012) <>
uid                  Systemics [receipt] (offa-20130101) <>
uid                  Systemics [server] (offa-20130102) <>

In my software I use the [tag] for the purpose, the (text) as a human 
comment, and everything else as the name of the keyholder.  You could do 
whatever tho.

Perhaps more on point, I do not want the OpenPGP system to provide me 
with bits that allow me to set purpose or anything else, because OpenPGP 
is too low-level.  My designed claims like "this is an operator key" are 
too involved in the business layer to be foisted onto anyone else.  The 
history of key-bits being used for human claims suggests this is a fast 
way to failure.  E.g., non-revocation and the infamous 
you-must-understand-me bit.

I don't know if this logic applies to anyone else.  But if it did, 
hypothetically, I might record your claims in my key uids as such:

uid                  Iang [HTTP-auth] (social-networks) <>
uid                  Systemics [UDC-agent] (Black-2012) <>