>>>>> "Sean" == Sean Whitton <spwhit...@spwhitton.name> writes:
Sean> It's from the VALIDSIG line as documented here:
Sean> <https://github.com/gpg/gnupg/blob/master/doc/DETAILS>.
Sean> The text there doesn't guarantee that the fingerprint will be
Sean> the signing subkey, if there is one, but somewhat implies that
Sean> it will be.
FWIW, I think we should explore how the data is used.
My gut feeling is that we kind of do need to tie ourselves down here for
it to be useful, and that we probably do need it to be the subkey
fingerprint to avoid users having to do a lot of extra work.
I'd be open to exploring how we think this field will be used by
people trying to audit/verify the archive, but at this time I cannot be
part of a consensus that is not specific.
My assumption is that the value of this field is to help auditing to tie
back to a particular key or subkey. In some cases the subkey will
matter for example if we are concerned that is what is compromised.
In cases where we still trust the tag2upload service, it would be
valuable not to have to go back to the tag itself, and so I think it is
valuable to be able to trust at an interface level that it is the subkey
we are talking about.
