Why ignore Signer's User ID?
The spec says:
This specification explicitly ignores the Signer's User ID subpacket, which is not meaningful for authentication.
But a trust signature of sigtype 0x10-0x13 (a certification, covering a user ID) appears to suggest that it is only relevant for signatures made by that key and user ID. Compare that to a trust signature of sigtype 0x1F (direct key signature), which would be relevant for only the key.
A direct-key tsig has only one conceivable meaning:
- a delegation to accept any certification made by this primary key (or any of its certification-capable subkeys), regardless of "Signer's User ID" in the certification in question.
I see two possible ways of thinking about a certification tsig, which would result in different graphs:
- a similar delegation, but only where the "Signer's User ID" subpacket is present in the certification in question, and matches the UID certified with a tsig.
- a similar delegation, but not including any certification with a non-matching "Signer's User ID" subpacket.
That is, the difference between the interpretations is between what happens when no "Signer's User ID" subpacket is present in the certification in question. Should a certification tsig work as a delegation for that case?