restoring a key
disastry@saiknes.lv
disastry@saiknes.lv
Fri Oct 26 11:53:01 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
David Shaw wrote:
> > > > I doub't it is even possible (I have not tested however).
> > > > RFC probably allows multiple subkey binding signatures (I'm not sure),
> > > > but gpg does not handle 'em well.
> > >
> > > It is possible, the RFC does allow it,
> > ok
> >
> > > and gpg handles it just fine.
> >
> > no it does not.
> >
> > for example get my key from keyserver and import it into gpg - only one
> > subkey will be imported, but the key have 2 ones.
> > that's because keyserver have somehow copied binding sig from one subkey to other
> > and now that subkey have two sigs - one valid other not.
>
> That's a different problem. If you extend the expiration date of a
> subkey, you create an additional *valid* binding signature. Thus, you
> have two valid binding signatures. As I said, gpg handles this just
> fine.
ok. maybe it does. in that case.
but I still maintain that but gpg does not handle multiple subkey binding signatures well.
ok, it's different problem.
> I just pulled your key from a keyserver and it looks like this:
>
> pubkey
> userid
> (sigs)
> userid
> (sigs)
> userid
> (sigs)
> public subkey 1
> public subkey 2
> (binding sig for 1)
> =20
> You have two subkeys and one binding signature, and the binding
> signature is attached to the wrong subkey.
damn.. no binding signature? why? keyservers sucks, they can just go and remove signatures :E
of course gpg is right in this case, it should not use any of subkeys.
> Just for the hell of it, I
> rearranged the packets so that the binding sig was in the right place
> and the key was happy again.
of course it was..
I just checked most keyservers for my key,
they all have different numbers and order of subkeys and
binding signatures:
pgpkeys.mit.edu (*.pgp.com, *.nai.com):
pubkey
userids & sigs
public subkey 991C445E
binding sig for 991C445E
public subkey 7E409F38
binding sig for 991C445E
binding sig for 7E409F38
europe.keys.pgp.com (keys.pgpi.net, pgp.surfnet.nl, horowitz.surfnet.nl, wwwkeys.nl.pgp.net)
wwwkeys.ch.pgp.net
wwwkeys.dk.pgp.net (pks.pgp.dk)
www.pgp.uk.demon.net
pgp.uni-mainz.de
pubkey
userids & sigs
(no subkeys at all!!!)
wwwkeys.cz.pgp.net (ms.pgp.cz, pks.www.cz)
pgp.es.net
blackhole.pca.dfn.de
pgp.nic.ad.jp
pgp.rediris.es
pubkey
userids & sigs
public subkey 991C445E
public subkey 7E409F38
binding sig for 991C445E
(I think you used one of these)
pgp.cc.gatech.edu
pubkey
userids & sigs
public subkey 7E409F38
public subkey 991C445E
binding sig for 7E409F38
(or maybe this one)
germany.keyserver.net (keyserver.topnet.de)
pubkey
userids & sigs
public subkey 7E409F38
binding sig for 7E409F38
binding sig for 991C445E
public subkey 991C445E
binding sig for 991C445E
binding sig for 7E409F38
seattle.keyserver.net
pubkey
userids & sigs
public subkey 7E409F38
binding sig for 7E409F38
public subkey 991C445E
binding sig for 991C445E
(only one with correct order of subkeys and binding sigs)
try key form germany.keyserver.net - it have 2 subkeys,
each of them have valid sig (first) and invalid sig.
gpg does not import them :-(
__
Disastry http://disastry.dhs.org/
http://disastry.dhs.org/pgp <----PGP plugins for Netscape and MDaemon
^--GPG for Win32 (supports loadable modules and IDEA)
^----PGP 2.6.3ia-multi05 (supports IDEA, CAST5, BLOWFISH, TWOFISH,
AES, 3DES ciphers and MD5, SHA1, RIPEMD160, SHA2 hashes)
-----BEGIN PGP SIGNATURE-----
Version: Netscape PGP half-Plugin 0.15 by Disastry / PGPsdk v1.7.1
iQA/AwUBO9kVsDBaTVEuJQxkEQNexgCg1mgmaq3BsyuSsRKZgvwSYlg9GlwAoOBV
1TF09IrbOj2wteG4U6+qdOBz
=TCMB
-----END PGP SIGNATURE-----