monkeysphere-authentication update-users behavior confusing when user has more than one OpenPGP UID with different KeyIDs
Situation: (a) User "Newbie" makes a OpenPGP key identity with UID "thesame thesame@example.com" and KeyID for example 0x00000001 and uses monkeysphere to insert "ssh public key 1" into it. It is signed by the monkeysphere administrator. (b) User "Newbie" makes another OpenPGP key identity with UID "thesame thesame@example.com" and KeyID for example 0x00000002 and uses monkeysphere to insert "ssh public key 2" into it. It is signed by the monkeysphere administrator. (c) Monkeysphere administrator becomes confused, as expected behavior would seem to be for both "ssh public key 1" and "ssh public key 2" to be pulled by "monkeysphere-authentication update-users", as indeed 'monkeysphere keys-for-userid "thesame thesame@example.com"' and 'monkeysphere sshfprs-for-userid "thesame thesame@example.com"' show both show "ssh public key 1" and "ssh public key 2".
The workaround is, if "Newbie" actually only needs one of the ssh public keys to work, for the monkeysphere administrator to revoke the signature on one of the KeyIDs. However I'm guessing there are probably use cases where a user could legitamately want to have several KeyIDs with the same UID, in which case I do not know of a workaround.
IMHO if this happens, monkeysphere-authentication update-users should either accept all of the valid ssh public keys even if they belong to multiple KeyIDs with the same UID, or throw an error; the current behavior of just selecting one of them is hard to debug.
(from redmine: created on 2011-01-14)