gpg --check-sigs should indicate if a signature is made by a revoked/compromised key

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Feb 9 21:00:02 CET 2011


gpg --check-sigs produces information about whether a certification was
revoked, but not whether the certification was made by a key which
itself was revoked.

This seems troublesome to me.

Consider this scenario:

Alice has key A, and Bob has key B.

Alice's key gets compromised by Mallory.

Alice notices the compromise, and revokes her key, indicating that it
was compromised.

Mallory makes a new key, M, attaches Bob's user ID to it, and makes a
certification over (Bob,M) with key A.

Charles knows Alice, and wants to communicate with Bob.  He fetches key
M, and runs "gpg --check-sigs Bob", which shows Alice's signature.

The output of --check-sigs shows no warning that A has been revoked
(marked compromised).

Maybe gpg should emit the same "X" that it currently emits for revoked
certifications as it does for certifications made from revoked (or at
least revoked-due-to-compromise) keys?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110209/54d00e4b/attachment-0001.pgp>


More information about the Gnupg-users mailing list