Certs by a revoked key
Jan Niehusmann
jan@gondor.com
Fri Feb 21 11:18:24 2003
--TB36FDmn/VVEgNH/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello!
I just had a discussion how to handle certs that where made by a revoked
key. I think, because PGP doesn't have proper timestamps, everything
signature by a revoked key must be considered invalid. But gnupg seems
to ignore the fact that a key is revoked, when checking a certificate.
Is that a bug?=20
For reference,
http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-06.txt
says in section 5.2.3.23.:
"If a key has been revoked because of a compromise, all signatures
created by that key are suspect. However, if it was merely superceded
or retired, old signatures are still valid. If the revoked signature is
the self-signature for certifying a user id, a revocation denotes that
that user name is no longer in use. Such a revocation SHOULD include
an 0x20 subpacket."
This seems to be a clarification of RFC2440, not a real change in the
protocol. So shouldn't gpg handle revoked keys that way?
Jan
--TB36FDmn/VVEgNH/
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+VTQKnIUccvEtoGURAq5vAJ9U+dzeR6TT9ROHY7S/AyoJvWMcXQCfVx9X
7Tnu8Kk6AJwzp+fZsmG+IxY=
=LN53
-----END PGP SIGNATURE-----
--TB36FDmn/VVEgNH/--