Password reset
David Shaw
dshaw@jabberwocky.com
Tue Aug 21 16:29:01 2001
On Tue, Aug 21, 2001 at 03:55:09PM +0200, Florian Weimer wrote:
> David Shaw <dshaw@jabberwocky.com> writes:
>
> > OpenPGP puts the onus of deciding whether to use or trust a key on the
> > local user's side.
>
> The OpenPGP RFC doesn't say nothing about these issues, so it's not
> clear that the local user has control, the OpenPGP he uses might well
> make the decisions for him.
Oh, yes, the implementation may make decisions, but the local user
always has control.
A revocation certificate is really just a signature. If I remove it
(gpg --edit-key can do this easily), then my local copy of the key is
not revoked any longer.
An expiration date is just a time_t. If I set my clock back to before
that time, the key isn't expired any longer.
The user always has control. There is a convention between
implementations that they won't use a key that has a "revoked"
certificate attached, but what I was saying was that there is nothing
in the cryptography that prevents this.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson