Certs by a revoked key

Jan Niehusmann jan@gondor.com
Fri Feb 21 11:18:24 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


I just had a discussion how to handle certs that where made by a revoked
key. I think, because PGP doesn't have proper timestamps, everything
signature by a revoked key must be considered invalid. But gnupg seems
to ignore the fact that a key is revoked, when checking a certificate.

Is that a bug?=20

For reference,
says in section

"If a key has been revoked because of a compromise, all signatures
created by that key are suspect. However, if it was merely superceded
or retired, old signatures are still valid. If the revoked signature is
the self-signature for certifying a user id, a revocation denotes that
that user name is no longer in use.  Such a revocation SHOULD include
an 0x20 subpacket."

This seems to be a clarification of RFC2440, not a real change in the
protocol. So shouldn't gpg handle revoked keys that way?


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (GNU/Linux)