Trust, UIDs, signing & revoking

Len Sassaman
Wed Nov 21 01:39:02 2001

On Wed, 21 Nov 2001, Mark Brown wrote:

> certificate for the self-signature.  To get the ID fully revoked in PGP
> you need to get everyone who signed the ID to revoke their signature.

Even that's not a solution.

(The UID isn't revoked at that point. It is simply removed from the trust
calculations. A future signer can come along and sign the key, and then be
included in trust calculations again, whereas they wouldn't if the UID
were revoked.)

Have you actually verified that this is how PGP does its trust
calculations internally? There may be some differnence between what is
displayed in PGPkeys and what is done in the SDK.


Len Sassaman

Security Architect            |  "Now it's all change --
Technology Consultant         |   It's got to change more."
                              |       |              --Joe Jackson