Updating signature cert-level

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Apr 26 22:19:24 CEST 2011


On 04/26/2011 04:06 PM, Aaron Toponce wrote:
> I signed a key, of which defaulted to cert-level 0 (I will not answer),
> which must be the default. When signing the key, GunPG didn't ask me about
> any checking. However, I would like to update the cert-level to 2 (I have
> done casual checking), but I'm unaware of how to do this. Do I need to
> revoke my signature, and re-sign, seeing as though GnuPG won't let my sign
> the key if I've already signed it?

The OpenPGP spec says that only one certification of a given key+UserID
from a particular primary key is valid -- it is the one with the most
recent certification creation time.

Each certification indicates what you're calling the "cert-level" in the
signature type, which is of course part of the message that is
cryptographically signed.  So you'll be issuing a new certification
instead of "updating" an old one.

Consequently, there is also no need to revoke an old certification
before issuing a new one, since the new one supercedes it.

Before you start doing --ask-cert-level generally: ask yourself what you
expect to gain from it.  Ask also what you expect your
peers/correspondents to gain from it.  Does the extra complexity give
you anything concretely worth more than the hassle/confusion it introduces?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110426/6a457eb1/attachment.pgp>


More information about the Gnupg-users mailing list