2 noob problems

Alex L. Mauer hawke at hawkesnest.net
Sat May 21 17:53:12 CEST 2005 

Yep, I understand the purposes of key signatures.  But (unlike with your
  bag/tie analogy), two signatures from the same key don't make a key
twice as valid.  If only the most recent one is kept, that should be
sufficient.  If you add a new uid, only that uid needs to be signed,
there's no need to add another signature to all of them.

> If you're thinking of the other signatures, consider that people spend a lot
> of time and travel large distances to gain signatures on their keys - why
> should that be wiped out arbitrarily?

Because it's redundant.  If I have two signatures on my key from
someone, either one of them is equally valid.  No need to keep two.

>
> Even if the key that made the signature is out of use, the signature itself is
> still valid - it testifies that the owner of the key was verified on the date
> shown by the person named in the signing key.

Yep, and I'm not proposing discarding arbitrary signatures.  But if
there's two signatures from a key, regardless of whether it's out of
use, you don't need to keep them both.  Does it testify that the owner
of the key was verified once, and then again on another date?  If so,
what reason is there to keep both signatures?  If I sign a contract,
does signing it twice make it more valid/enforcable/something?

On the other hand, if the signature has expired, since it becomes
meaningless there's no reason to keep it.  Look at the PGP Global
Directory key for an example of where this could become a problem.  It
re-signs the keys every two weeks, with a signature that is valid for
two weeks.  This builds up pretty quickly.

> Why is a new signature (of either type) more important than an old one?

It's not, but defining a specific behaviour is generally a good idea
when talking about how computers should behave.  Defining this would
tell the keyservers what to do when syncronising, which I've heard as
the reason it retains all keys+sigs forever.

In fact ... now that I think about it, if this were done, it would be
possible for the keyservers to handle that better too: It could retain
only the most recent signature for a key on each uid, and only give out
the keys if the most recent self-signature is not a revokation
signature.  But, it could still hang on to all keys for comparison, so
that when syncronization rolls around it doesn't just treat it as a new key.

--
Bad - You get pulled over for doing 90 in a school zone and you're drunk
off your ass again at three in the afternoon.
Worse - The cop is drunk too, and he's a mean drunk.
FUCK! - A mean drunk that's actually a swarm of semi-sentient
flesh-eating beetles.
OpenPGP key id: 51192FF2 @ subkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050521/df449841/signature.pgp

More information about the Gnupg-users mailing list