updating a key's self-signature

David Shaw dshaw at jabberwocky.com
Wed Jan 4 18:35:41 CET 2006

On Tue, Jan 03, 2006 at 07:59:08PM -0800, vedaal at hush.com wrote:
> >Message: 8
> >Date: Tue, 3 Jan 2006 19:43:01 -0500
> >From: David Shaw <dshaw at jabberwocky.com>
> >Subject: Re: updating a key's self-signature
> >Yes, but note that it's still possible for someone to get the old
> >self-sig from a keyserver.
> what good would that do anyone once the old signature hash is no 
> longer trusted,
> and the key is updated with the new one ?

Remember than keys are merged on the keyservers, so you'll end up with
both self-sigs present.  To be sure, GPG will use the more recent,
stronger, self-sig, but the old one is still there.

If an attacker compromises the keyserver or in any way distributes
your key himself, he can remove the new self-sig, leaving the old one

It's not much of an attack.  I wouldn't lose sleep over it.

> >Despite the recent attacks, I'd use SHA-1.
> i'd prefer whirpool, but settled for sha-256 ;-)

This is fine, but note that the key may not work in older versions of
PGP and GPG.


More information about the Gnupg-users mailing list