Reusing signed user ID or attribute

Daniele Ricci daniele.athome at
Sun Jan 19 15:55:51 CET 2014

Ok, so I have to conclude it's implementation specific?
I'm using a custom user attribute to store something that can change
quite often (privacy lists for a chat user). What do you suggest?

On Fri, Jan 17, 2014 at 1:28 PM, Hauke Laging
<mailinglisten at> wrote:
> Am Fr 17.01.2014, 11:44:55 schrieb Daniele Ricci:
>> My question is the following: suppose I create a user ID or attribute.
>> I sign it with my key and that's ok.
>> One day I revoke that user ID or attribute and sign it again with a
>> certification revocation.
>> A few years later, I want to restore that user ID or attribute
>> because, e.g. I restored an old e-mail address. Is it enough to sign
>> the revoked user attribute once again with a valid signature (then
>> timestamps will do the rest) or do I have to create a new user ID with
>> the same data?
> I am afraid that depends on the implementation. The RfC isn't clear on
> that (if I understand it correctly).
> It says about self-signatures (a revocation is not a self-signature in
> this sense, though):
> "An implementation that encounters multiple self-signatures on the same
> object may resolve the ambiguity in any way it sees fit, but it is
> RECOMMENDED that priority be given to the most recent self-signature."
> About revocations it says:
> "0x30: Certification revocation signature
>        This signature revokes an earlier User ID certification signature
>        (signature class 0x10 through 0x13) or direct-key signature
>        (0x1F).  It should be issued by the same key that issued the
>        revoked signature or an authorized revocation key.  The signature
>        is computed over the same data as the certificate that it
>        revokes, and should have a later creation date than that
>        certificate."
> IIRC then GnuPG accepts a later self-signature (overriding the
> revocation). IMHO that makes most sense. As long as the mainkey isn't
> revoked or expired why shouldn't one "change one's mind"?
> I haven't tried now but IIRC you have to delete the revocation first
> before you can create a new signature.
> Hauke
> --
> Crypto für alle:
> OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5


More information about the Gnupg-users mailing list