gpg --check-sigs should indicate if a signature is made by a revoked/compromised key
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 9 21:00:02 CET 2011
gpg --check-sigs produces information about whether a certification was
revoked, but not whether the certification was made by a key which
itself was revoked.
This seems troublesome to me.
Consider this scenario:
Alice has key A, and Bob has key B.
Alice's key gets compromised by Mallory.
Alice notices the compromise, and revokes her key, indicating that it
Mallory makes a new key, M, attaches Bob's user ID to it, and makes a
certification over (Bob,M) with key A.
Charles knows Alice, and wants to communicate with Bob. He fetches key
M, and runs "gpg --check-sigs Bob", which shows Alice's signature.
The output of --check-sigs shows no warning that A has been revoked
Maybe gpg should emit the same "X" that it currently emits for revoked
certifications as it does for certifications made from revoked (or at
least revoked-due-to-compromise) keys?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1030 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users