2 noob problems

[Neil Williams]

On Friday 20 May 2005 7:50 pm, Alex Mauer wrote:
> Neil Williams wrote:
> > Keyservers don't delete signatures so every time you self-sign, it
> > remains on the keyserver. Deleting the signature once a key has been sent
> > to a keyserver is pointless because refreshing the key will always import
> > all the old signatures.
>
> What's the reasoning behind this?  Would it not be possible/logical for
> the keyserver, or gpg's import process, to simply discard all but the
> most recent signature from any single key?

As far as self-signatures go, these are an important part of key maintenance 
and key integrity. If a key has changed, there needs to be a verification 
that the change is tied to the secret key. If you add a UID or change the key 
behaviour in other ways, the key should be verified and the different 
components of the key "tied" together with a new self-signature. It's just 
like the tie on a bag - if you add another bag, you need another tie. If you 
use just the latest tie to secure everything in one go, you lose the ability 
to trace the management of the key.

If you're thinking of the other signatures, consider that people spend a lot 
of time and travel large distances to gain signatures on their keys - why 
should that be wiped out arbitrarily?

Even if the key that made the signature is out of use, the signature itself is 
still valid - it testifies that the owner of the key was verified on the date 
shown by the person named in the signing key.

Why is a new signature (of either type) more important than an old one?


-- 

Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050520/e24d40fd/attachment-0001.pgp