Details of signature verification status-fd lines
Werner Koch
wk at gnupg.org
Wed Sep 23 10:20:07 CEST 2009
On Tue, 22 Sep 2009 17:50, bmearns at ieee.org said:
> Thanks for the response. So EXPKEYSIG doesn't mean the key was expired
> when the signature was made, right? If that shows up along with
It means that the key has expired by now.
> VALIDSIG, it's ok to trust the signature, correct? What about
That is up to you. Usually you would show a message stating that the
key used to create the message meanwhile expired. Whether you take the
signature creation date into account and show a different message is up
to you. If a signer wants to use an expired key for signing he may as
well change the signature creation time.
> REVKEYSIG? If a key is revoked, is there an easy way to know if the
> signature was made prior to revocation, or would it be necessary to
> just compare the stamps on the signature and the revocation?
There is no way becuase you don't know why the key was revoked. Sure
the revocation signature allows to give a reason of revocation and you
can take that in account, but if the key was compromised an attacker may
also create a revocation with a different reasons (e.g. key superseded).
You can't tell who did the revocation.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-users
mailing list