Retaining expired sigs

David Shaw dshaw at jabberwocky.com
Sun Mar 20 04:35:47 CET 2005 

On Sat, Mar 19, 2005 at 03:25:32PM -0500, Jason Harris wrote:

> > about the same thing.  Given this case:
> > 
> > 	   non-revocable sig    1-Jan-2000
> > 	   revocable sig        2-Jan-2000
> > 	   revocation           3-Jan-2000
> > 
> > One way of looking at this is the end result is nothing.  That is, the
> > revocable sig of 2-Jan-2000 has superceded the non-revocable sig of
> > 1-Jan-2000, and then the revocation has revoked the sig of 2-Jan-2000.
> > There are no valid sigs left, and all three can be disregarded.
> 
> This would be letting the non-revocable sig. be indirectly revoked,
> which I don't believe anyone is advocating.
>
> > Another way of looking at this is that the revocable sig of 2-Jan-2000
> > has not superceded the non-revocable sig of 1-Jan-2000.  The
> > revocation of 3-Jan-2000 has revoked the sig of 2-Jan-2000, which
> > leaves the non-revocable sig of 1-Jan-2000 as valid and usable.
> 
> This is what I am advocating.

Good.  Then we agree.  What's more, there is nothing to change.  GnuPG
already effectively works this way (see below).

> > Now try this case:
> > 
> > 	   non-revocable sig    1-Jan-2000
> > 	   expired sig          2-Jan-2000 (expired 3-Jan-2000)
> > 
> > One answer here is that the expired sig of 2-Jan-2000 has superceded
> > the nonrevocable sig of 1-Jan-2000.  The end result is nothing and
> > both sigs can be discarded.
> > 
> > Another answer is that 2-Jan-2000 has expired, which leaves the sig of
> > 1-Jan-2000 as valid and usable.
> > 
> > What are you arguing for?
> 
> The sig. of 1-Jan-2000 is valid and usable.  It can only be ignored when
> superceded.

I agree with your general idea here, but not the details, exactly.
What GnuPG does in this case is to take the 1-Jan-2000 signature and
ignore any that follow.

I don't like the idea of a signature that is temporarily superceded.
Either it is superceded (and can be removed) or it is not.  It's a bit
of a distinction without a difference, really.  The end result is
basically the same, but the rationale is different.

> Also, if multiple non-revocable sigs. exist, the latest (valid) one 
> supercedes all others, which can be safely removed.

Ok, I buy this.  I'll change the unusable sig filter to remove earlier
sigs in a series when filtering.  It's a little different than the
current implementation since this would allow a newly imported
signature to cause older signatures already on the keyring to
disappear (say, if an expired signature was imported that dated after
all the signatures that were already present).

David

More information about the Gnupg-users mailing list