Yep, I understand the purposes of key signatures. But (unlike with your bag/tie analogy), two signatures from the same key don't make a key twice as valid. If only the most recent one is kept, that should be sufficient. If you add a new uid, only that uid needs to be signed, there's no need to add another signature to all of them.
If you're thinking of the other signatures, consider that people spend a lot of time and travel large distances to gain signatures on their keys - why should that be wiped out arbitrarily?
Because it's redundant. If I have two signatures on my key from someone, either one of them is equally valid. No need to keep two.
Even if the key that made the signature is out of use, the signature itself is still valid - it testifies that the owner of the key was verified on the date shown by the person named in the signing key.
Yep, and I'm not proposing discarding arbitrary signatures. But if there's two signatures from a key, regardless of whether it's out of use, you don't need to keep them both. Does it testify that the owner of the key was verified once, and then again on another date? If so, what reason is there to keep both signatures? If I sign a contract, does signing it twice make it more valid/enforcable/something? On the other hand, if the signature has expired, since it becomes meaningless there's no reason to keep it. Look at the PGP Global Directory key for an example of where this could become a problem. It re-signs the keys every two weeks, with a signature that is valid for two weeks. This builds up pretty quickly.
Why is a new signature (of either type) more important than an old one?
It's not, but defining a specific behaviour is generally a good idea when talking about how computers should behave. Defining this would tell the keyservers what to do when syncronising, which I've heard as the reason it retains all keys+sigs forever. In fact ... now that I think about it, if this were done, it would be possible for the keyservers to handle that better too: It could retain only the most recent signature for a key on each uid, and only give out the keys if the most recent self-signature is not a revokation signature. But, it could still hang on to all keys for comparison, so that when syncronization rolls around it doesn't just treat it as a new key. -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
