Certs by a revoked key
Fri Feb 21 11:18:24 2003
Content-Type: text/plain; charset=us-ascii
I just had a discussion how to handle certs that where made by a revoked
key. I think, because PGP doesn't have proper timestamps, everything
signature by a revoked key must be considered invalid. But gnupg seems
to ignore the fact that a key is revoked, when checking a certificate.
Is that a bug?=20
says in section 184.108.40.206.:
"If a key has been revoked because of a compromise, all signatures
created by that key are suspect. However, if it was merely superceded
or retired, old signatures are still valid. If the revoked signature is
the self-signature for certifying a user id, a revocation denotes that
that user name is no longer in use. Such a revocation SHOULD include
an 0x20 subpacket."
This seems to be a clarification of RFC2440, not a real change in the
protocol. So shouldn't gpg handle revoked keys that way?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----