Updating signature cert-level

Doug Barton dougb at dougbarton.us
Wed Apr 27 01:50:16 CEST 2011

On 04/26/2011 13:49, David Shaw wrote:
> On Apr 26, 2011, at 4:12 PM, Doug Barton wrote:
>> On 04/26/2011 13:06, Aaron Toponce wrote:
>>> I signed a key, of which defaulted to cert-level 0 (I will not answer),
>>> which must be the default. When signing the key, GunPG didn't ask me about
>>> any checking. However, I would like to update the cert-level to 2 (I have
>>> done casual checking), but I'm unaware of how to do this. Do I need to
>>> revoke my signature, and re-sign, seeing as though GnuPG won't let my sign
>>> the key if I've already signed it?
>> I think you can delsig, then sign again. The keyservers would have both, but hopefully client software (like gpg) would be smart enough to use the more recent?
> Yes.
>> I would imagine that revoking a signature and then signing again would make it worse instead of better?
> Not really worse or better in practice.  The semantics are slightly different for the two cases, but the end result is the same.  In the revocation case, you have sig1+revoke1+sig2, so the end result is to use sig2.  In the superseding case, you have sig1+sig2, and the end result is also to use sig2.

Ok, thanks for confirming that I'm not a complete loonie. :)


	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

More information about the Gnupg-users mailing list