On 09/24/2010 10:30 AM, Simon Richter wrote: > Of course. I was talking about data signatures, i.e. "I'm signing this > with my work hat on".
ah, gotcha. sorry for the misunderstanding.
> The main use case I have is my Debian work -- when I sign a .changes
> file, the Debian archive will accept it, even if the package in question
> was really intended for another repository (where I use the same key for
> authentication).
>
> As my main key is well-established in the WoT, I'd like to use the
> existing connections to get a trust path; however using the key directly
> leads to the problem that the signature can be interpreted in multiple
> ways.
yeah, this makes sense. in the context of debian packaging, the
material signed is relevant. if your changelog says "unstable" then
debian will accept it. if you're uploading it to some other repo, that
repo would presumably be named something other than "unstable".
fwiw, it wouldn't be difficult to propose such a notation, and it should
be possible to implement it quickly in debsign using gpg's --set-notation.
However, testing right now, it doesn't seem to work with gpg for regular
data signatures:
echo test | gpg --sign --set-notation 't...@example.org=test' | \
gpg --list-packets
does not show the notation :(
Werner, David, is this expected behavior? am i doing something wrong?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
