Details of signature verification status-fd lines
bmearns at ieee.org
Wed Sep 23 16:16:59 CEST 2009
On Wed, Sep 23, 2009 at 4:20 AM, Werner Koch <wk at gnupg.org> wrote:
> On Tue, 22 Sep 2009 17:50, bmearns at ieee.org said:
>> Thanks for the response. So EXPKEYSIG doesn't mean the key was expired
>> when the signature was made, right? If that shows up along with
> It means that the key has expired by now.
>> VALIDSIG, it's ok to trust the signature, correct? What about
> That is up to you. Usually you would show a message stating that the
> key used to create the message meanwhile expired. Whether you take the
> signature creation date into account and show a different message is up
> to you. If a signer wants to use an expired key for signing he may as
> well change the signature creation time.
>> REVKEYSIG? If a key is revoked, is there an easy way to know if the
>> signature was made prior to revocation, or would it be necessary to
>> just compare the stamps on the signature and the revocation?
> There is no way becuase you don't know why the key was revoked. Sure
> the revocation signature allows to give a reason of revocation and you
> can take that in account, but if the key was compromised an attacker may
> also create a revocation with a different reasons (e.g. key superseded).
> You can't tell who did the revocation.
> Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
Great, thanks for the help, Werner.
By the way, are there any python or PHP bindings for GPGME?
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net
More information about the Gnupg-users