gpg --check-sigs should indicate if a signature is made by a revoked/compromised key
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 9 22:46:38 CET 2011
On 02/09/2011 03:27 PM, Grant Olson wrote:
> The man page does say that this is intentionally not done for
> performance reasons:
> Same as --list-sigs, but the signatures are verified. Note that
> for performance reasons the revocation status of a signing key
> is not shown. This command has the same effect as using --list-
> keys with --with-sig-check.
ah, thanks for helping me RTFM :) sorry i missed that. is the same
thing true about key expiry?
> But shouldn't a user let the trust calculations do their magic and break
> the WoT to Bob's key once Alice's key has been revoked? Before the key
> was valid because Alice had full trust, now it's unvalidated because
> Alice's key is revoked.
yes, it would be good if people did that.
> It seems like this attack only works if you ignore the WoT and
> explicitly start signing keys X-degrees-of-separation away without
> proper verification. (Not that I'm saying I can't conceive of real
> people doing this.)
yeah, i think the problem is that people don't think about these
different ways that manual checking can fail. By not reporting key
expirations, --check-sigs puts the extra burden on the user -- this
might be a performance hit, but it's way more of a performance hit if
the user then has to go and manually look up each key, no?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1030 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users