2 FAQs

David Shaw dshaw@jabberwocky.com
Fri Dec 6 14:19:02 2002

On Thu, Dec 05, 2002 at 11:38:12PM +0100, Michael Nahrath wrote:
> David Shaw <dshaw@jabberwocky.com> schrieb am 2002-12-05 23:12 Uhr:
> >> Is there a way to "tune up" an already given signature?
> > 
> > You can reissue the signature.  Revoke the first via "revsig", and
> > then issue a new one.
> AFAIKS no need to revoke.
> I can as well delete my old signature locally, sign again and --recv-keys
> from the keyserver or --import the key again from a local (unaltered) copy.
> Then it has two different (positive) sigs by me but no revocation
> (why revoke if there is no reason?).
> But as long as all this doesn't concern trust levels or security I'll have
> better things to do ;-)

Well, it's not clear.  Like you say, you end up with two sigs.  If you
later revoke one (or one expires), what should the reading program do?
Does revoking the later effectively revoke the earlier?  Does the
later one expiring effectively expire the earlier?

In GnuPG, the answer is yes in both cases.  However, the OpenPGP
standard is silent on trust issues (it's really a file format
specification).  There may be other implementations with other
choices, so the only way to *guarantee* that you get what you want is
to revoke the old signature before making the new one.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson