On 2019-07-09 at 15:55 -0500, Daniel Roesler via Gnupg-users wrote: > While adding the ability for 0x50 signatures would be nice, I would > still like to explore ways of users self-limiting signatures within > the existing gpg command line, since most users will be just using > whatever version is in their operating system repo or whatever version > they downloaded at the time of installation.
We are currently in a catch-22 situation, where neither clients nor keyservers support such confirmation signatures. However, clients will eventually update, while we will be stuck forever supporting whatever format is devised. I think it's more important to define the right packets, based on packet semantics and also for performing on-the-fly validation. The users will need an updated software for making a confirmation signature anyway (even if it's just an extra shell script over gpg1), I see little hassle in requiring gpg >= 2.2.18 instead. Specially taking into account that receiving new (legitimate) sigs is an uncommon event. It wouldn't be that bad if someone had to use a LiveCD in order to incorporate a new signature, just as you may need to use a certification key which you usually keep offline. (It would be good if this prompted them to update their day-to-day client, though) Please go for the best solution in the longterm, not just the one which is easiest to support with ancient clients for the sake of it. Kind regards PS: This is not an endorsement of one type over the other, I haven't evaluated the merits of either option (yet). _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
