Details of signature verification status-fd lines

Brian Mearns bmearns at ieee.org
Wed Sep 23 16:16:59 CEST 2009


On Wed, Sep 23, 2009 at 4:20 AM, Werner Koch <wk at gnupg.org> wrote:
> On Tue, 22 Sep 2009 17:50, bmearns at ieee.org said:
>
>> Thanks for the response. So EXPKEYSIG doesn't mean the key was expired
>> when the signature was made, right? If that shows up along with
>
> It means that the key has expired by now.
>
>> VALIDSIG, it's ok to trust the signature, correct? What about
>
> That is up to you.  Usually you would show a message stating that the
> key used to create the message meanwhile expired.  Whether you take the
> signature creation date into account and show a different message is up
> to you.  If a signer wants to use an expired key for signing he may as
> well change the signature creation time.
>
>> REVKEYSIG? If a key is revoked, is there an easy way to know if the
>> signature was made prior to revocation, or would it be necessary to
>> just compare the stamps on the signature and the revocation?
>
> There is no way becuase you don't know why the key was revoked.  Sure
> the revocation signature allows to give a reason of revocation and you
> can take that in account, but if the key was compromised an attacker may
> also create a revocation with a different reasons (e.g. key superseded).
> You can't tell who did the revocation.
>
>
> Salam-Shalom,
>
>   Werner
>
> --
> Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.
>
>

Great, thanks for the help, Werner.

By the way, are there any python or PHP bindings for GPGME?

-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net



More information about the Gnupg-users mailing list