Reusing signed user ID or attribute
mailinglisten at hauke-laging.de
Fri Jan 17 13:28:50 CET 2014
Am Fr 17.01.2014, 11:44:55 schrieb Daniele Ricci:
> My question is the following: suppose I create a user ID or attribute.
> I sign it with my key and that's ok.
> One day I revoke that user ID or attribute and sign it again with a
> certification revocation.
> A few years later, I want to restore that user ID or attribute
> because, e.g. I restored an old e-mail address. Is it enough to sign
> the revoked user attribute once again with a valid signature (then
> timestamps will do the rest) or do I have to create a new user ID with
> the same data?
I am afraid that depends on the implementation. The RfC isn't clear on
that (if I understand it correctly).
It says about self-signatures (a revocation is not a self-signature in
this sense, though):
"An implementation that encounters multiple self-signatures on the same
object may resolve the ambiguity in any way it sees fit, but it is
RECOMMENDED that priority be given to the most recent self-signature."
About revocations it says:
"0x30: Certification revocation signature
This signature revokes an earlier User ID certification signature
(signature class 0x10 through 0x13) or direct-key signature
(0x1F). It should be issued by the same key that issued the
revoked signature or an authorized revocation key. The signature
is computed over the same data as the certificate that it
revokes, and should have a later creation date than that
IIRC then GnuPG accepts a later self-signature (overriding the
revocation). IMHO that makes most sense. As long as the mainkey isn't
revoked or expired why shouldn't one "change one's mind"?
I haven't tried now but IIRC you have to delete the revocation first
before you can create a new signature.
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 572 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-users