[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to update a self-signature?
On Mon, Aug 27, 2001 at 08:48:32PM +0200, Werner Koch wrote:
> On Mon, 27 Aug 2001 12:35:40 -0400, David Shaw said:
> > to really revoke a revocation. I assume you mean revoking a user ID
> > revocation by re-signing the user ID?
> Yes. I talked with Florian about this recently.
> > I'm only trying to make a case for what happens if after everything is
> > worked out and the implementation ends up with more than one valid
> There shouldn't be any date conflicts with self-signatures - but it
> may happen. The way to handle it for a general purpose implemention is
> to ignore all signatures during key import which are older than
> existing one. That you ignore all self-signatures which are invalid
> should be clear.
This is effectively the same thing as the "use the latest" suggestion.
Either way, you are picking the most recent signature. I like your
idea a bit more as it seems more elegant - resolving the problem once
at key import time rather than each time the key is used. It also
keeps the key small - no long trail of signatures from each preference
It does share a gotcha with the "use the latest" suggestion - if the
user who makes one of those signatures has a wonky clock that thinks
it is 2010, then they could find themselves with a self-signature that
can't be replaced because the implementations will always favor the
signature from the future. The implementation will need to do some
sort of sanity checking there. Either way, I think it's safe to say
that incorrect clocks are out of the scope of 2440!
> So I do not see a problem before the year 2106 and most of us won't see
> it ever.
Around 2090, the OpenPGP WG of the future will have to make a key
packet version 58 or so that has an 8 byte time. :)
David Shaw | Technical Lead
<dshaw@xxxxxxxxxx> | Enterprise Content Delivery
617-250-3028 | Akamai Technologies