Re: [Sks-devel] multiple subkey binding

[David Shaw]

On Wed, Dec 03, 2003 at 05:58:16PM -0500, Jason Harris wrote:
> On Wed, Dec 03, 2003 at 04:59:12PM -0500, David Shaw wrote:
> > On Wed, Dec 03, 2003 at 04:05:11PM -0500, Jason Harris wrote:
> > 
> > > So, such legacy subpackets seem to be able to find the keyservers
> > > with newer versions of GPG, at least.  How the versions of the
> > > signatures without the type 101 subpackets are getting generated is
> > > still unclear to me, however.
> > 
> > Not generated.  Maintained, though.  GnuPG doesn't tamper with the
> > private subpackets, since it doesn't know who generated them, or why.
> 
> Older versions of GPG added those subpackets for private use.
> Newer versions of GPG preserve them.  Therefore:
> 
>   "GnuPG never exported the local subpackets, so someone would have to
>    make an extreme effort to get them onto the server."
> 
> seems incorrect.  Wouldn't pointing a newer GPG at an existing keyring
> (with those subpackets) and doing a --send-keys account for them winding
> up on the keyservers?

Sounds reasonable to me.  Until fairly recently, GnuPG knows they
belong to itself and strips them.  I'd have to look, but I recall it
was only in one of the latest releases did we stop stripping them and
start passing them through.

Either way, the same question arises: with two identical signatures on
a keyserver, differing only in the unhashed data, is it reasonable to
strip one?

David