Am Fr 17.01.2014, 11:44:55 schrieb Daniele Ricci: > My question is the following: suppose I create a user ID or attribute. > I sign it with my key and that's ok. > One day I revoke that user ID or attribute and sign it again with a > certification revocation. > > A few years later, I want to restore that user ID or attribute > because, e.g. I restored an old e-mail address. Is it enough to sign > the revoked user attribute once again with a valid signature (then > timestamps will do the rest) or do I have to create a new user ID with > the same data?
I am afraid that depends on the implementation. The RfC isn't clear on that (if I understand it correctly). It says about self-signatures (a revocation is not a self-signature in this sense, though): "An implementation that encounters multiple self-signatures on the same object may resolve the ambiguity in any way it sees fit, but it is RECOMMENDED that priority be given to the most recent self-signature." About revocations it says: "0x30: Certification revocation signature This signature revokes an earlier User ID certification signature (signature class 0x10 through 0x13) or direct-key signature (0x1F). It should be issued by the same key that issued the revoked signature or an authorized revocation key. The signature is computed over the same data as the certificate that it revokes, and should have a later creation date than that certificate." IIRC then GnuPG accepts a later self-signature (overriding the revocation). IMHO that makes most sense. As long as the mainkey isn't revoked or expired why shouldn't one "change one's mind"? I haven't tried now but IIRC you have to delete the revocation first before you can create a new signature. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users