Certs by a revoked key

Jan Niehusmann jan@gondor.com
Fri Feb 21 11:18:24 2003


--TB36FDmn/VVEgNH/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello!

I just had a discussion how to handle certs that where made by a revoked
key. I think, because PGP doesn't have proper timestamps, everything
signature by a revoked key must be considered invalid. But gnupg seems
to ignore the fact that a key is revoked, when checking a certificate.

Is that a bug?=20

For reference,
http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-06.txt
says in section 5.2.3.23.:

"If a key has been revoked because of a compromise, all signatures
created by that key are suspect. However, if it was merely superceded
or retired, old signatures are still valid. If the revoked signature is
the self-signature for certifying a user id, a revocation denotes that
that user name is no longer in use.  Such a revocation SHOULD include
an 0x20 subpacket."

This seems to be a clarification of RFC2440, not a real change in the
protocol. So shouldn't gpg handle revoked keys that way?

Jan


--TB36FDmn/VVEgNH/
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+VTQKnIUccvEtoGURAq5vAJ9U+dzeR6TT9ROHY7S/AyoJvWMcXQCfVx9X
7Tnu8Kk6AJwzp+fZsmG+IxY=
=LN53
-----END PGP SIGNATURE-----

--TB36FDmn/VVEgNH/--