Any value to duplicate signatures?

Ben McGinnes ben at adversary.org
Sat Mar 2 12:02:42 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2/03/13 8:51 PM, Doug Barton wrote:
> On 03/02/2013 01:20 AM, Ben McGinnes wrote:
>> 
>> I can think of two reasons why there may be some value in
>> including the second signatures.  The first being if you have
>> added a new UID to your key and the new signatures are now
>> applied to that.
> 
> I should have been more explicit that this is not the case.

No doubt someone else will encounter that scenario and see the value,
though (my key acquired a new UID just the other day, though it won't
get as much use as this address).

>> The second being to show that the key is consistently under your 
>> control.
> 
> But new signatures don't actually prove that, right? The person 
> generating the signature could just as easily have uploaded it to 
> the key server themselves. In this case that didn't happen, but
> the fact that new signatures appeared doesn't actually prove
> anything.

I think it's more in the nature of circumstantial evidence, the
strength of which is determined more by the person doing the signing
and their policy regarding key signing.  It can show a consistency of
control of the key and/or email address(es) associated with that key.


Regards,
Ben
-----BEGIN PGP SIGNATURE-----

iQGcBAEBCgAGBQJRMdxQAAoJEH/y03E1x1U8QckL/1K4DNT9uazIl7zpUDHRATot
X3NHEf3+NhNtlGmL6sTHgFv/mx0VELlaWrUpt6uNqUxs3iVPweZ4Id9zFt3sX+8C
UvJuLKvGYY1+hAD1EmuTs+wILP4ff3bNWG99cIAypSLtOmv0nStVsKRQCQHSswG2
3PjwgMtFwIE8KlLnD61Hj080su3thWfEAguu0yFHYVGGMxeMwUGez24Sj+wUWmRq
Bo3imJ06MjWZSQl6dWBaMzYU4zl6y1wQMnMA8RRMw9mPm/+H3gughOWWJ61aIAx1
hdhBnMuKIXbVBnWfwCMisWz9ZI1GLO/04gG5qdpgstG5GvHvdkXlqX8wK9OHxOh3
bYYPubVsMcHMFpt6rBiQ3etKAWa3vZk6nxoUne878rOFSblRc5QVgn7p1b8OhEjM
19MZcCgC59zM1AJd2VgX5RxyMDOvaeGt/38MoXw5tk8Nuz8E/yJYj5Ki0ZLv+5t6
82iPjaqCh3a7lmLJ6GaV+a3kmeNZ4Oz6BK7imFLVAA==
=DIO0
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list