Updating signature cert-level

David Shaw dshaw at jabberwocky.com
Wed Apr 27 14:59:49 CEST 2011

On Apr 27, 2011, at 5:11 AM, Aaron Toponce wrote:

> On Tue, Apr 26, 2011 at 01:12:00PM -0700, Doug Barton wrote:
>> I think you can delsig, then sign again. The keyservers would have
>> both, but hopefully client software (like gpg) would be smart enough
>> to use the more recent? I would imagine that revoking a signature
>> and then signing again would make it worse instead of better?
>> Meanwhile, add ask-cert-level to your gpg.conf.
> This is what I ended up doing. I deleted the signature, and resigned.
> Further, I've added 'ask-cert-level' to my gpg.conf, for future signings.
> And, out of curiosity, I checked the signatures on my own key, and found
> them all to be cert level '0', which I was a bit bummed about. Oh well.

Given the people involved in a key signing (the signer, the signee, and a third party who sees the signature later), more than anything else, it's an informational (only) message from the signer to the third party.  Since by default it doesn't really change how the key signature is interpreted (that is, level 2 == level 3 == level 0), most people don't bother to set one.

Incidentally, it is possible to tweak the trust calculations to take signature level into account.  GnuPG supports reading a trust "map" generated by an external process that can use whatever trust rules it likes.  I don't know of anyone using this ability offhand.


More information about the Gnupg-users mailing list