Duplicated self-signatures on keyservers
Manuel Samper
manuel@samper.dyndns.org
Sat May 17 15:22:02 2003
On Sat, May 17, 2003 at 05:53 CEST, David Shaw wrote:
> On Fri, May 16, 2003 at 11:49:33PM +0200, Manuel Samper wrote:
> > Thinking about this (and that's where gpg come into play), if older
> > versions of self-signatures are of no practical use, and may only bloat
> > the public key, it should be stripped at download time by the
> > "keyclient" (gpg in our case), although it are preserved in the
> > keyserver for some reasons (you should known better).
>
> Yes, that is what happens now. GnuPG automatically strips an older
> self signature if a newer valid self signature is already available.
Not if you retrieve a new key (at least with gpg 1.2.1; perhaps it's
different in 1.2.2):
$ gpg --no-default-keyring --keyring test --recv-key 0xfffd5da0
gpg: keyring `/home/users/manuel/.gnupg/test' created
gpg: key FFFD5DA0: public key "Manuel Samper" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
$ gpg --no-default-keyring --keyring test --list-sigs 0xfffd5da0
pub 4096R/FFFD5DA0 2003-05-13 Manuel Samper
sig 3 FFFD5DA0 2003-05-13 Manuel Samper
sig 3 FFFD5DA0 2003-05-13 Manuel Samper
uid Manuel Samper <manuel@samper.dyndns.org>
sig 1 P C521097E 2003-05-14 [User id not found]
Signature policy: http://www.toehold.com/robotca/
sig 3 FFFD5DA0 2003-05-13 Manuel Samper
sig 3 FFFD5DA0 2003-05-13 Manuel Samper
sub 4096g/0AC11943 2003-05-13
sig FFFD5DA0 2003-05-13 Manuel Samper
sub 1024D/2D16624C 2003-05-13 [expires: 2007-05-13]
sig FFFD5DA0 2003-05-14 Manuel Samper
But don't import older self signatures if the key is already in the
public keyring:
$ gpg --recv-key 0xfffd5da0
gpg: key FFFD5DA0: "Manuel Samper" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
$ gpg --list-sigs 0xfffd5da0
pub 4096R/FFFD5DA0 2003-05-13 Manuel Samper
sig 3 FFFD5DA0 2003-05-13 Manuel Samper
uid Manuel Samper <manuel@samper.dyndns.org>
sig 3 FFFD5DA0 2003-05-13 Manuel Samper
sig 1 P C521097E 2003-05-14 Robot CA
(http://www.toehold.com/robotca/) <robotca@toehold.com>
Signature policy: http://www.toehold.com/robotca/
sub 4096g/0AC11943 2003-05-13
sig FFFD5DA0 2003-05-13 Manuel Samper
sub 1024D/2D16624C 2003-05-13 [expires: 2007-05-13]
sig FFFD5DA0 2003-05-14 Manuel Samper
> On the other hand, a newer self signature is accepted for import, but
> the old one is not deleted. This is occasionally reported as a bug.
> It isn't a bug, but it can be confusing.
>
> It is a very good thing that the keyservers do not do this since they
> do not have cryptographic support to know whether the "new" signature
> is valid (or indeed, whether it is really new or not).
Yes, it's better if they don't try to be too smart and begin to mangle
keys.
--
Manuel Samper OpenPGP Key ID: FFFD5DA0