Duplicated self-signatures on keyservers

Manuel Samper manuel@samper.dyndns.org
Sat May 17 15:22:02 2003 

On Sat, May 17, 2003 at 05:53 CEST, David Shaw wrote:
> On Fri, May 16, 2003 at 11:49:33PM +0200, Manuel Samper wrote:
> > Thinking about this (and that's where gpg come into play), if older
> > versions of self-signatures are of no practical use, and may only bloat
> > the public key, it should be stripped at download time by the
> > "keyclient" (gpg in our case), although it are preserved in the
> > keyserver for some reasons (you should known better).
> 
> Yes, that is what happens now.  GnuPG automatically strips an older
> self signature if a newer valid self signature is already available.

Not if you retrieve a new key (at least with gpg 1.2.1; perhaps it's
different in 1.2.2):

$ gpg --no-default-keyring --keyring test --recv-key 0xfffd5da0
gpg: keyring `/home/users/manuel/.gnupg/test' created
gpg: key FFFD5DA0: public key "Manuel Samper" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$ gpg --no-default-keyring --keyring test --list-sigs 0xfffd5da0
pub  4096R/FFFD5DA0 2003-05-13 Manuel Samper
sig 3       FFFD5DA0 2003-05-13   Manuel Samper
sig 3       FFFD5DA0 2003-05-13   Manuel Samper
uid                            Manuel Samper <manuel@samper.dyndns.org>
sig 1   P   C521097E 2003-05-14   [User id not found]
   Signature policy: http://www.toehold.com/robotca/
sig 3       FFFD5DA0 2003-05-13   Manuel Samper
sig 3       FFFD5DA0 2003-05-13   Manuel Samper
sub  4096g/0AC11943 2003-05-13
sig         FFFD5DA0 2003-05-13   Manuel Samper
sub  1024D/2D16624C 2003-05-13 [expires: 2007-05-13]
sig         FFFD5DA0 2003-05-14   Manuel Samper


But don't import older self signatures if the key is already in the
public keyring:

$ gpg --recv-key 0xfffd5da0
gpg: key FFFD5DA0: "Manuel Samper" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

$ gpg --list-sigs 0xfffd5da0
pub  4096R/FFFD5DA0 2003-05-13 Manuel Samper
sig 3       FFFD5DA0 2003-05-13   Manuel Samper
uid                            Manuel Samper <manuel@samper.dyndns.org>
sig 3       FFFD5DA0 2003-05-13   Manuel Samper
sig 1   P   C521097E 2003-05-14   Robot CA
(http://www.toehold.com/robotca/) <robotca@toehold.com>
   Signature policy: http://www.toehold.com/robotca/
sub  4096g/0AC11943 2003-05-13
sig         FFFD5DA0 2003-05-13   Manuel Samper
sub  1024D/2D16624C 2003-05-13 [expires: 2007-05-13]
sig         FFFD5DA0 2003-05-14   Manuel Samper

> On the other hand, a newer self signature is accepted for import, but
> the old one is not deleted.  This is occasionally reported as a bug.
> It isn't a bug, but it can be confusing.
> 
> It is a very good thing that the keyservers do not do this since they
> do not have cryptographic support to know whether the "new" signature
> is valid (or indeed, whether it is really new or not).

Yes, it's better if they don't try to be too smart and begin to mangle
keys.

-- 
Manuel Samper                                   OpenPGP Key ID: FFFD5DA0