On 04/26/2011 04:06 PM, Aaron Toponce wrote: > I signed a key, of which defaulted to cert-level 0 (I will not answer), > which must be the default. When signing the key, GunPG didn't ask me about > any checking. However, I would like to update the cert-level to 2 (I have > done casual checking), but I'm unaware of how to do this. Do I need to > revoke my signature, and re-sign, seeing as though GnuPG won't let my sign > the key if I've already signed it?
The OpenPGP spec says that only one certification of a given key+UserID
from a particular primary key is valid -- it is the one with the most
recent certification creation time.
Each certification indicates what you're calling the "cert-level" in the
signature type, which is of course part of the message that is
cryptographically signed. So you'll be issuing a new certification
instead of "updating" an old one.
Consequently, there is also no need to revoke an old certification
before issuing a new one, since the new one supercedes it.
Before you start doing --ask-cert-level generally: ask yourself what you
expect to gain from it. Ask also what you expect your
peers/correspondents to gain from it. Does the extra complexity give
you anything concretely worth more than the hassle/confusion it introduces?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
