Keyservers mangle with subkey binding sigs

Charly Avital shavital at mac.com
Sat Jan 19 13:26:04 CET 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Vlad "SATtva" Miller wrote the following on 1/19/08 6:01 AM:
[...]
| Here for example (in the bottom) you may see two subkeys with binding
| signatures expired at 2007-12-31:
|
http://pool.sks-keyservers.net:11371/pks/lookup?search=0x8443620A&op=vindex

So it is.

| But if you look at the original copy you'll see that all regenerated
| sigs are in place:
| http://www.vladmiller.info/contacts/openpgp.txt

After importing that keyblock:

gpg: key 8443620A: "Vladislav V. Miller (aka SATtva)" 13 new signatures
gpg: key 8443620A: "Vladislav V. Miller (aka SATtva)" 11 signatures cleaned
gpg: Total number processed: 1
gpg:         new signatures: 13
gpg:     signatures cleaned: 11
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:  30  signed: 105  trust: 0-, 0q, 0n, 0m, 0f, 30u
gpg: depth: 1  valid: 105  signed:  54  trust: 0-, 3q, 0n, 33m, 69f, 0u
gpg: depth: 2  valid:  40  signed:  92  trust: 0-, 1q, 2n, 21m, 16f, 0u
gpg: depth: 3  valid:   4  signed:  12  trust: 1-, 0q, 0n, 1m, 2f, 0u
gpg: depth: 4  valid:   3  signed:   4  trust: 0-, 0q, 0n, 1m, 2f, 0u
gpg: next trustdb check due at 2008-02-13

[name]$ gpg --edit-key 8443620A
gpg (GnuPG) 1.4.8; Copyright (C) 2007 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  4096R/8443620A  created: 2006-12-21  expires: never       usage: SC
~                     trust: unknown       validity: unknown
sub  2048R/070E0B73  created: 2006-12-21  expires: 2010-01-01  usage: S
sub  2048R/7D57ED51  created: 2006-12-21  expires: 2010-01-01  usage: E
[ unknown] (1). Vladislav V. Miller (aka SATtva)
[ unknown] (2)  Vladislav V. Miller (aka SATtva) <sattva at pgpru.com>
[ unknown] (3)  Vladislav V. Miller (aka SATtva) <sattva at vladmiller.info>
[ unknown] (4)  SATtva (openPGP in Russia project admin) <project at pgpru.com>
[ unknown] (5)  Vlad Miller (for private contacts only) <vladtepesh at mail.ru>
[ unknown] (6)  [jpeg image of size 7403]
[ unknown] (7)  [jpeg image of size 7403]

In my system now:

I have not signed your key
Your signature verifies (no longer "..with expired key...".
Two user photos are invoked and displayed, one of them shows a person,
the other one displays an interrogation mark.

After signing (locally) your key, there is no change, still two photos
displayed, one is a person, the other one displays an interrogation mark.



| sattva at localhost ~ $ cat openpgp.txt | gpg --list-packets
| [snip]
| :signature packet: algo 1, keyid FAEB26F78443620A
|         version 4, created 1199529401, md5len 0, sigclass 0x18
|         digest algo 2, begin of digest 1f 06
|         hashed subpkt 26 len 45 (policy:
|         http://www.vladmiller.info/services/cert.html)
|         hashed subpkt 27 len 1 (key flags: 0C)
|   >>>>  hashed subpkt 2 len 4 (sig created 2008-01-05)       <<<<
|   >>>>  hashed subpkt 9 len 4 (key expires after 3y11d13h6m) <<<<
|         subpkt 16 len 8 (issuer key ID FAEB26F78443620A)
|         data: [4095 bits]
|
| If I understand this correctly and not missing something terribly here,
| keyservers just looked at newly uploaded key, thought "huh? I already
| have that subkey in place, and this 0x18 sig too!", and discarded it
| without going into much trouble of analyzing any binding sigs'
| timestamps (maybe marking them as duplicates).

I lack the knowledge and background to comment.

Charly
MacOS X 10.5.1 - GnuPG 1.4.8 - GPG2 2.0.8 with gpg-agent - Thunderbird
2.0.0.9 with Enigmail 0.95.6 - Primary key A57A8EFA - Signing subkey
855B83EF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJHkexVAAoJEM3GMi2FW4PvpLYH/j4v8ZTd1kFItLk33fJW/Dot
pOd1IwCHFYMB05FlNYGcmY5NnI1I1za2aCM4I13W28e3/ZV8v8sKjcSodg8b/lQb
hvME3BrfgWiCbDjkoMpv3Z4HHGe/e75byVT6nOMOA77n5mCOCwZxUADb+hJ7zfQ/
6poCh1qW3GRdD0JfttcFx77W7AMNMQSqJ+4WQmuPfyHHqt+/1mbjSA88aVS9KO85
q0v6xatOBZ0WfcbJKsUSTEtZp+8DELzWrZz6sZTmpEQcOhdjzqAs4gx2QU4idd6F
GQtuF0eHjLCpvZl4DX5aDVhXSGHnuAi1mX10RH8WbNJwXXuAlUgv7Vi25dzvdVs=
=Af0l
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list