Notary signature implementation notes

David Shaw <> Mon, 19 August 2002 17:59 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id NAA11228 for <>; Mon, 19 Aug 2002 13:59:14 -0400 (EDT)
Received: by (8.11.6/8.11.3) id g7JHqcs14181 for ietf-openpgp-bks; Mon, 19 Aug 2002 10:52:38 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with ESMTP id g7JHqbn14177 for <>; Mon, 19 Aug 2002 10:52:37 -0700 (PDT)
Received: (from dshaw@localhost) by (8.11.6/8.11.6) id g7JHqXr09314 for; Mon, 19 Aug 2002 13:52:33 -0400
Date: Mon, 19 Aug 2002 13:52:33 -0400
From: David Shaw <>
Subject: Notary signature implementation notes
Message-ID: <>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="6c2NcOVqGQ03X4Wi"
Content-Disposition: inline
X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560
X-Phase-Of-Moon: The Moon is Waxing Gibbous (90% of Full)
User-Agent: Mutt/1.5.1i
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>

Hi folks,

I recently roughed in some support for notary signatures in GnuPG.
Here are some samples.  The first attachment is the file the original
signature was issued on.  The second attachment is a detached
signature on that file.  The third attachment is a v4 0x50 signature
on that signature, and the final attachment is a v3 0x50.

All of these signatures were issued by key 0xD8B2D20C, currently on a
friendly keyserver near you.

I used the canonicalization rules Hal Finney suggested in except I
used the constant 0x88 rather than 0x84 for the canonical CTB.  I
believe 0x84 was a typo since that would be a CTB for a session key

It was suggested that notary signatures always contain a signature
target subpacket.  After implementing notary signatures, I'm not sure
how useful this would be given the current signature target subpacket.
To create the subpacket, the notary needs to have the public key of
the signer of the original signature in order to get the raw hash out
of the original signature.  That harms somewhat the nice feature of a
notary signature that the notary does not need to know anything about
the original document and its signer.  One possible solution to this
is to define the signature target subpacket as a canonical hash of the
original signature rather than as the actual hash from the original


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson