Reusing signed user ID or attribute

Daniele Ricci daniele.athome at gmail.com
Sun Jan 19 15:55:51 CET 2014 

Ok, so I have to conclude it's implementation specific?
I'm using a custom user attribute to store something that can change
quite often (privacy lists for a chat user). What do you suggest?


On Fri, Jan 17, 2014 at 1:28 PM, Hauke Laging
<mailinglisten at hauke-laging.de> wrote:
> Am Fr 17.01.2014, 11:44:55 schrieb Daniele Ricci:
>
>> My question is the following: suppose I create a user ID or attribute.
>> I sign it with my key and that's ok.
>> One day I revoke that user ID or attribute and sign it again with a
>> certification revocation.
>>
>> A few years later, I want to restore that user ID or attribute
>> because, e.g. I restored an old e-mail address. Is it enough to sign
>> the revoked user attribute once again with a valid signature (then
>> timestamps will do the rest) or do I have to create a new user ID with
>> the same data?
>
> I am afraid that depends on the implementation. The RfC isn't clear on
> that (if I understand it correctly).
>
> It says about self-signatures (a revocation is not a self-signature in
> this sense, though):
>
> "An implementation that encounters multiple self-signatures on the same
> object may resolve the ambiguity in any way it sees fit, but it is
> RECOMMENDED that priority be given to the most recent self-signature."
>
> About revocations it says:
>
> "0x30: Certification revocation signature
>        This signature revokes an earlier User ID certification signature
>        (signature class 0x10 through 0x13) or direct-key signature
>        (0x1F).  It should be issued by the same key that issued the
>        revoked signature or an authorized revocation key.  The signature
>        is computed over the same data as the certificate that it
>        revokes, and should have a later creation date than that
>        certificate."
>
> IIRC then GnuPG accepts a later self-signature (overriding the
> revocation). IMHO that makes most sense. As long as the mainkey isn't
> revoked or expired why shouldn't one "change one's mind"?
>
> I haven't tried now but IIRC you have to delete the revocation first
> before you can create a new signature.
>
>
> Hauke
> --
> Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
> http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
> OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5



-- 
Daniele

More information about the Gnupg-users mailing list