On Tue, Jul 9, 2019 at 2:10 PM Werner Koch <w...@gnupg.org> wrote: > The problem I see is that the keyservers need to check the validity of > the 0x50 signature first. Only this will allow them to distribute only > key-signatures which have veen approved buy the key owner.
Correct, a keyserver would need to validate signatures before including them in the public API. However, when gossiping with peers, they could still included the hashes of non-verified signatures so they stay in sync with each other. > If that has been achieved we can quickly add the required feature to > gpg. While adding the ability for 0x50 signatures would be nice, I would still like to explore ways of users self-limiting signatures within the existing gpg command line, since most users will be just using whatever version is in their operating system repo or whatever version they downloaded at the time of installation. So it seems like Notation Data subpackets may be the way to go instead of 0x50 Third-Party Confirmation signatures, since notations can be added in the existing gpg edit-key interface. I'll begin playing around with this interface to see what kind of user experience is possible. Thanks for the prompt responses! Daniel _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
