-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 2 Jul 1999, Marcel Waldvogel wrote:
Both strategies, either keeping the first (revocation) signature or
updating them, is open to DoS. I would prefer the keyservers to keep
(and return) all duplicate (revocation) signatures, but only display
one of them. Then the user's OpenPGP implementation should deal with
it. Duplicate signatures shouldn't break anything, but I would like
to know whether anyone assumes that duplicate revocations might break
I do not think they break something. OpenPGP implementation should handle
multiple signatures with similar meaning.
If there are implementations which have different behaviour according to
the additional information of the signature, they can have problems.
Such additional informations are the creation time of the signature (an
implementation could treat signatures valid if they occured befor the
revocation of the key) or the reason for the revocation (if the reason is
a changed userID the OpenPGP implementation could take signatures for
valid, but not if the reason is a compromised key).
IMHO the keyservers should store all key information and not try to guess
what part of this information an application needs to work.
PGP-KeyID: DD934139 (pafei(_at_)rubin(_dot_)ch) encrypt mail with PGP if
more about PGP on http://www.rubin.ch/pgp/ (english and german)
what ist the web of trust? see http://www.rubin.ch/pgp/weboftrust.en.html
Das Vertrauensnetz von PGP: http://www.rubin.ch/pgp/weboftrust.de.html
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
-----END PGP SIGNATURE-----