key history on keyservers

Dennis Lambe Jr. malsyned at cif.rochester.edu
Sun Dec 21 19:56:08 CET 2003


When working with PGP data, an important rule of thumb to bear in mind
is this:
You cannot remove information from the world once you have placed it
there, you can only add to it.

When you place PGP information on a keyserver, or anywhere else, each
individual chunk of data (Primary key, UID, subkeys, etc.) bears your
signature, a mark that it is authentic and approved by you.  If you wish
to later reverse that statement, your only option (as per the rule of
thumb) is to add another signature to the data with a flag stating that
you disavow the signed information.  This kind of signature is called a
"revocation certificate" and is the only way that you can effectively
"take back" any part of a public key once you've put it out there.

If you wish to remove a UID (because you're unhappy with the comment
part of it) and create another, your only sure way to do so is to revoke
the old UID and create a new one, which will then have to be signed by
all of your original signatories.

The old comment will always be a part of your key, but it will bear a
revocation signature that nullifies it, and most PGP software will
ignore it unless told specifically to do otherwise.

The "delete" feature of the --edit-key prompt is really only useful to
remove packets on your key that haven't been released publically yet.

The system is set up that way so that someone other than yourself can't
delete parts of your key and then upload them to a keyserver.  There is
no way to remove any part of a key without verifying (via a signature)
that you have the right to do so, and this is a major feature, not a
bug.

--D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 279 bytes
Desc: This is a digitally signed message part
Url : /pipermail/attachments/20031221/35a8b739/attachment.bin


More information about the Gnupg-users mailing list