messed up a bit

Yenot yenot@sec.to
Tue Jun 24 15:59:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 23 June 2003 05:44 pm, Marcin Gil wrote:
> Hi there!
>
> Considering all your opinions I did something like this:
> - revoked my key <mgil : vernet pl> and sent a revcert to
> keyserver.net. - deleted a signature of <mgil : vernet pl> from my
> second (thus now primary) key <mgil : bmp net pl>
>
> I've sent updated <mgil : bmp> key to keyserver.net. Boom. There
> are two self-signatures of <mgil : bmp> and I don't know why.
> I've messed something up and don't know what.. please explain.
>
> I can revcert the key, since only 1 or 2 people got it.

- From the text above, I can't tell how the second signature appeared.
My guess is that when you deleted the <mgil : vernet pl> signature,
you also accidentally deleted your self signature ... and later
recreated it. (Perhaps you deleted the entire UID and then recreated
it?) If the signature appeared twice on your local keyring (verses
only on the keyserver), you merged this newly created signature onto
a backup (original or/older) version of your key.

If you have multiple signatures from the same user-id (including self
signatures), GnuPG will ignore all but the most recent signature when
performing internal calculations. Redundant signatures aren't
aesthetically pleasing, but they don't cause problems other than
confusion.

The most confusing part is as follows:

When *importing* signatures made by the same key, OpenPGP
implementations do the following:

 If imported signature is newer than existing signature:
  GnuPG:  Keeps both signatures
  PGPv8:  Keeps both signatures

 If imported signature is older than existing signature:
  GnuPG:  Drops older signature
  PGPv8:  Keeps both signatures

So the number of signatures shown on a key can depend the order in
which those signatures were imported. The same key imported into both
GnuPG and PGPv8 may show different numbers of signatures. Also, if
the signatures were created on the same day, they will look the
same from within GnuPG and PGPv8, although their timestamps differ.
Use http://www.pgpdump.net/ if you need to see the full timestamps on
signatures.

 - Yenot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE++C5XP247TY29IxARAuewAJwPf3fZFLv9H85z/OXXOYzqg6ypIwCfaSua
js4Hq9aQjhAvY3r3SLayacY=
=SNyF
-----END PGP SIGNATURE-----