On Tue, Jan 03, 2006 at 07:59:08PM -0800, [EMAIL PROTECTED] wrote: > > >Message: 8 > >Date: Tue, 3 Jan 2006 19:43:01 -0500 > >From: David Shaw <[EMAIL PROTECTED]> > >Subject: Re: updating a key's self-signature > > >Yes, but note that it's still possible for someone to get the old > >self-sig from a keyserver. > > what good would that do anyone once the old signature hash is no > longer trusted, > and the key is updated with the new one ?
Remember than keys are merged on the keyservers, so you'll end up with both self-sigs present. To be sure, GPG will use the more recent, stronger, self-sig, but the old one is still there. If an attacker compromises the keyserver or in any way distributes your key himself, he can remove the new self-sig, leaving the old one behind. It's not much of an attack. I wouldn't lose sleep over it. > >Despite the recent attacks, I'd use SHA-1. > > i'd prefer whirpool, but settled for sha-256 ;-) This is fine, but note that the key may not work in older versions of PGP and GPG. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
