On Apr 27, 2011, at 5:11 AM, Aaron Toponce wrote:

> On Tue, Apr 26, 2011 at 01:12:00PM -0700, Doug Barton wrote:
>> I think you can delsig, then sign again. The keyservers would have
>> both, but hopefully client software (like gpg) would be smart enough
>> to use the more recent? I would imagine that revoking a signature
>> and then signing again would make it worse instead of better?
>> 
>> Meanwhile, add ask-cert-level to your gpg.conf.
> 
> This is what I ended up doing. I deleted the signature, and resigned.
> Further, I've added 'ask-cert-level' to my gpg.conf, for future signings.
> And, out of curiosity, I checked the signatures on my own key, and found
> them all to be cert level '0', which I was a bit bummed about. Oh well.

Given the people involved in a key signing (the signer, the signee, and a third 
party who sees the signature later), more than anything else, it's an 
informational (only) message from the signer to the third party.  Since by 
default it doesn't really change how the key signature is interpreted (that is, 
level 2 == level 3 == level 0), most people don't bother to set one.

Incidentally, it is possible to tweak the trust calculations to take signature 
level into account.  GnuPG supports reading a trust "map" generated by an 
external process that can use whatever trust rules it likes.  I don't know of 
anyone using this ability offhand.

David


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to