2 noob problems
Neil Williams
linux at codehelp.co.uk
Fri May 20 23:30:16 CEST 2005
On Friday 20 May 2005 7:50 pm, Alex Mauer wrote:
> Neil Williams wrote:
> > Keyservers don't delete signatures so every time you self-sign, it
> > remains on the keyserver. Deleting the signature once a key has been sent
> > to a keyserver is pointless because refreshing the key will always import
> > all the old signatures.
>
> What's the reasoning behind this? Would it not be possible/logical for
> the keyserver, or gpg's import process, to simply discard all but the
> most recent signature from any single key?
As far as self-signatures go, these are an important part of key maintenance
and key integrity. If a key has changed, there needs to be a verification
that the change is tied to the secret key. If you add a UID or change the key
behaviour in other ways, the key should be verified and the different
components of the key "tied" together with a new self-signature. It's just
like the tie on a bag - if you add another bag, you need another tie. If you
use just the latest tie to secure everything in one go, you lose the ability
to trace the management of the key.
If you're thinking of the other signatures, consider that people spend a lot
of time and travel large distances to gain signatures on their keys - why
should that be wiped out arbitrarily?
Even if the key that made the signature is out of use, the signature itself is
still valid - it testifies that the owner of the key was verified on the date
shown by the person named in the signing key.
Why is a new signature (of either type) more important than an old one?
--
Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050520/e24d40fd/attachment-0001.pgp
More information about the Gnupg-users
mailing list