changing key expiration

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Aug 27 21:25:57 CEST 2009


Hi Berhnard--

On 08/27/2009 01:36 PM, Bernhard Kuemel wrote:
> It appears the key expiration is part of the signatures. Will the most
> recent signature have the effective expiration date?

yes, the most recent certification made by the same issuer on a given
subject is considered to supercede all other signatures by the same
issuer over that subject (in your case, this is a self-signature, so the
issuer is the same as the subject).

> --edit-key revsig only shows me the date when the signatures were made,
> but it is the same for the last 2 recently made signatures. How can I
> tell them apart?

A revocation of the User ID from your Key with timestamp X will
effectively revoke *any* certification over the Key/User ID pair with a
timestamp < X.

So even if you were to issue a revocation of an earlier signature, if
the timstamp of your revocation happens to post-date a signature you
wanted to keep, it would be effectively invalidated by the same
revocation.  At least, this is how gpg appears to interpret the spec,
and it seems to be the only reasonable interpretation.

So the answer is: you don't need to issue a revocation for the earlier
certifications; they're already superceded by the new certification you
made.  And it could be actively harmful to try to issue a revocation
even for the first one (which you *can* distinguish by date) because the
revocation will effectively clobber *any* certification over the same
key/user ID made prior to the revocation.

If i've made any mistakes above, i hope someone will step in and correct me!

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090827/216d6afc/attachment.pgp>


More information about the Gnupg-users mailing list