Duplicated self-signatures on keyservers

David Shaw dshaw@jabberwocky.com
Sat May 17 16:35:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, May 17, 2003 at 03:22:22PM +0200, Manuel Samper wrote:
> On Sat, May 17, 2003 at 05:53 CEST, David Shaw wrote:
> > On Fri, May 16, 2003 at 11:49:33PM +0200, Manuel Samper wrote:
> > > Thinking about this (and that's where gpg come into play), if older
> > > versions of self-signatures are of no practical use, and may only bloat
> > > the public key, it should be stripped at download time by the
> > > "keyclient" (gpg in our case), although it are preserved in the
> > > keyserver for some reasons (you should known better).
> > 
> > Yes, that is what happens now.  GnuPG automatically strips an older
> > self signature if a newer valid self signature is already available.
> 
> Not if you retrieve a new key (at least with gpg 1.2.1; perhaps it's
> different in 1.2.2):

Yes, that is correct.  The signature check only happens when an
existing signature (and hence an existing key) is already in your
keyring.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+xkiS4mZch0nhy8kRArKuAJ0W7a+SdFGnESFi6u4IE7FQUf7JmwCg1o8P
ONsByR6XCYmSjXtdQkEfarU=
=hffT
-----END PGP SIGNATURE-----