Certs by a revoked key

David Shaw dshaw@jabberwocky.com
Tue Feb 25 01:54:02 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 24, 2003 at 09:34:21AM +0100, Adrian 'Dagurashibanipal' von Bid=
der wrote:
> On Sun, 2003-02-23 at 19:20, Richard Laager wrote:
> > By my interpretation,
> > the RFC is saying that if a key is revoked with a reason of 0x02 (Key
> > material has been compromised), 0x00* (No reason specified), or this
> > subpacket is missing* altogether, then all of the key's signatures
> > are suspect and must be ignored. However, if any other reason
> > (currently 0x01 (Key is superceded) or 0x03 (Key is retired and no
> > longer used)) is given, then the signatures should be used in trust
> > calculations.
> This is the case if you can assume that all revocation packets make it
> through. But I suspect that an attack where the attacker replaces a 0x02
> revocation by the key holder with a 0x01 revocation might be possible,
> so the victim might be led to trust too many signatures.

The revocation type (0x01, 0x02, etc) is part of (or had better be
part of!) the hashed data in the signature so it can't be tampered

A key that has a 0x01 AND 0x02 revocation can certainly be tampered
with to remove the 0x02 one... but then, if an attacker could remove
arbitrary packets, they could remove the 0x01 as well.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.2rc1 (GNU/Linux)