Certs by a revoked key

David Shaw dshaw@jabberwocky.com
Sun Feb 23 21:12:01 2003


On Sun, Feb 23, 2003 at 12:20:06PM -0600, Richard Laager wrote:

> On Friday, February 21, 2003 6:22 AM, David Shaw wrote:
> > On Thu, Feb 20, 2003 at 09:01:14PM +0100, Jan Niehusmann wrote:
> ...
> > > "If a key has been revoked because of a compromise, all
> > > signatures created by that key are suspect. However, if it was
> > > merely superceded or retired, old signatures are still valid. If
> > > the revoked signature is the self-signature for certifying a user
> > > id, a revocation denotes that that user name is no longer in use.
> > >  Such a revocation SHOULD include an 0x20 subpacket."
> > > 
> > > This seems to be a clarification of RFC2440, not a real change in
> > > the protocol. So shouldn't gpg handle revoked keys that way?
> > 
> > No, because unless you are talking about a very special use where
> > the sender and receiver have rigidly controlled clocks and nobody
> > else can participate, there is no way to tell whether the "old
> > signatures"
> > predate the revocation or not.
> 
> What does the timestamp have to do with this? By my interpretation,
> the RFC is saying that if a key is revoked with a reason of 0x02 (Key
> material has been compromised), 0x00* (No reason specified), or this
> subpacket is missing* altogether, then all of the key's signatures
> are suspect and must be ignored. However, if any other reason
> (currently 0x01 (Key is superceded) or 0x03 (Key is retired and no
> longer used)) is given, then the signatures should be used in trust
> calculations.

A signature timestamp can be compared - in theory - with the timestamp
of a revocation signature for reasons 0x01 and 0x03 to tell whether
the signature should be accepted or not.

I say "in theory" because while the RFC says this, the clocks used in
general-purpose OpenPGP programs like PGP and GnuPG are not even
vaguely reliable enough.  For certain embedded uses that do not
communicate with the outside world of bogus clocks, this feature might
be usable.

> There's no reason that someone's trust should be altered because they
> retire an old key.

There is when there is no reliable way to tell the difference between
"retired" and "compromised", or more specifically "compromised after
retirement".

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson