IETF Logo Mail Archive

Re: How to update a self-signature?

David Shaw <dshaw@akamai.com> Mon, 27 August 2001 21:19 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA00924 for <openpgp-archive@odin.ietf.org>; Mon, 27 Aug 2001 17:19:57 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f7RKxAG26618 for ietf-openpgp-bks; Mon, 27 Aug 2001 13:59:10 -0700 (PDT)
Received: from claude.kendall.akamai.com (akafire.akamai.com [65.202.32.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f7RKx9D26613 for <ietf-openpgp@imc.org>; Mon, 27 Aug 2001 13:59:09 -0700 (PDT)
Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.9.3/8.9.3) id QAA05348 for ietf-openpgp@imc.org; Mon, 27 Aug 2001 16:59:00 -0400
Date: Mon, 27 Aug 2001 16:59:00 -0400
From: David Shaw <dshaw@akamai.com>
To: ietf-openpgp@imc.org
Subject: Re: How to update a self-signature?
Message-ID: <20010827165900.D834@akamai.com>
Mail-Followup-To: ietf-openpgp@imc.org
References: <p05100303b7aaf65aff68@[192.168.1.180]> <008601c12c52$1b6181c0$c23fa8c0@transarc.ibm.com> <p0510031fb7ab945664e5@[192.168.1.180]> <002b01c12d74$b105fb20$c23fa8c0@transarc.ibm.com> <20010827094849.A26895@akamai.com> <87y9o5imcn.fsf@alberti.gnupg.de> <20010827123540.A834@akamai.com> <87y9o5gwzj.fsf@alberti.gnupg.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <87y9o5gwzj.fsf@alberti.gnupg.de>; from wk@gnupg.org on Mon, Aug 27, 2001 at 08:48:32PM +0200
X-PGP-Key: 2048R/3CB3B415/4D 96 83 18 2B AF BE 45 D0 07 C4 07 51 37 B3 18
X-URL: http://www.jabberwocky.com/
X-Phase-Of-Moon: The Moon is Waxing Gibbous (68% of Full)
X-Pointless-Random-Number: 112
X-Silly-Header: It sure is.
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Mon, Aug 27, 2001 at 08:48:32PM +0200, Werner Koch wrote:
> 
> On Mon, 27 Aug 2001 12:35:40 -0400, David Shaw said:
> 
> > to really revoke a revocation.  I assume you mean revoking a user ID
> > revocation by re-signing the user ID?
> 
> Yes. I talked with Florian about this recently.
> 
> > I'm only trying to make a case for what happens if after everything is
> > worked out and the implementation ends up with more than one valid
> 
> There shouldn't be any date conflicts with self-signatures - but it
> may happen.  The way to handle it for a general purpose implemention is
> to ignore all signatures during key import which are older than
> existing one. That you ignore all self-signatures which are invalid
> should be clear.

This is effectively the same thing as the "use the latest" suggestion.
Either way, you are picking the most recent signature.  I like your
idea a bit more as it seems more elegant - resolving the problem once
at key import time rather than each time the key is used.  It also
keeps the key small - no long trail of signatures from each preference
change.

It does share a gotcha with the "use the latest" suggestion - if the
user who makes one of those signatures has a wonky clock that thinks
it is 2010, then they could find themselves with a self-signature that
can't be replaced because the implementations will always favor the
signature from the future.  The implementation will need to do some
sort of sanity checking there.  Either way, I think it's safe to say
that incorrect clocks are out of the scope of 2440!

> So I do not see a problem before the year 2106 and most of us won't see
> it ever.

Around 2090, the OpenPGP WG of the future will have to make a key
packet version 58 or so that has an 8 byte time. :)

David

-- 
David Shaw          |  Technical Lead
<dshaw@akamai.com>  |  Enterprise Content Delivery
617-250-3028        |  Akamai Technologies

v2.23.0 | Report a Bug | By Email