On Thu, 8 Oct 2015 17:16, pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz
said:
X.509 has been using this mechanism for about twenty years without any
problems. Sure, someone could do that, but what would they gain by it? The
YMMV: I have seen serial number re-use for different keys done by
official CAs more than once.
I call this corrupt data. The self-signature would not verify and thus the
key is unusable. Time to remember where you stored the backup.
It's not corrupted, someone just updated their key info, the signatures on the
What do you mean by "key info".
new key data are all valid. The fact that the exact same key that was used
earlier, with the exact same name/email address attached to it, now has a
totally different identifier associated with it, is a problem with how PGP
identifiers are handled. No data corruption has taken place.
You mean the binding signatures verify okay but the key is different?
If that is the case you found a bug in the software. You can't change
the creation date, the key material, the user id or the hashed signature
subpackets without invalidating the corresponding self-signature.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp