Reusing signed user ID or attribute

Hauke Laging mailinglisten at hauke-laging.de
Fri Jan 17 13:28:50 CET 2014 

Am Fr 17.01.2014, 11:44:55 schrieb Daniele Ricci:

> My question is the following: suppose I create a user ID or attribute.
> I sign it with my key and that's ok.
> One day I revoke that user ID or attribute and sign it again with a
> certification revocation.
> 
> A few years later, I want to restore that user ID or attribute
> because, e.g. I restored an old e-mail address. Is it enough to sign
> the revoked user attribute once again with a valid signature (then
> timestamps will do the rest) or do I have to create a new user ID with
> the same data?

I am afraid that depends on the implementation. The RfC isn't clear on 
that (if I understand it correctly).

It says about self-signatures (a revocation is not a self-signature in 
this sense, though):

"An implementation that encounters multiple self-signatures on the same 
object may resolve the ambiguity in any way it sees fit, but it is 
RECOMMENDED that priority be given to the most recent self-signature."

About revocations it says:

"0x30: Certification revocation signature
       This signature revokes an earlier User ID certification signature
       (signature class 0x10 through 0x13) or direct-key signature
       (0x1F).  It should be issued by the same key that issued the
       revoked signature or an authorized revocation key.  The signature
       is computed over the same data as the certificate that it
       revokes, and should have a later creation date than that
       certificate."

IIRC then GnuPG accepts a later self-signature (overriding the 
revocation). IMHO that makes most sense. As long as the mainkey isn't 
revoked or expired why shouldn't one "change one's mind"?

I haven't tried now but IIRC you have to delete the revocation first 
before you can create a new signature.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140117/15bbc117/attachment.sig>

More information about the Gnupg-users mailing list