Revoke signature from key

David Shaw dshaw at jabberwocky.com
Mon Mar 21 21:05:35 CET 2011


On Mar 21, 2011, at 3:46 PM, Martin Gollowitzer wrote:

> * David Shaw <dshaw at jabberwocky.com> [110321 20:28, 
>  mID <387F8326-47AF-419E-A9A7-7C37D048A0A4 at jabberwocky.com>]:
> 
>> On Mar 21, 2011, at 3:02 PM, Mike Acker wrote:
>> 
>>> Scenario thus far:
>>> 	• Tom Newguy joined my group
>>> 	• Tom created a keypair and sent his PUBLIC key to me
>>> 	• I have approved his membership in the group
>>> 	• I have signed his key and sent his public key with my signature to other members of the group
>>> 	• now Tom has left the group
>>> Object: to revoke my signature from Tom Newguy's key
>> 
>> gpg --edit-key (newguyskey)
>> revsig
>> save
> 
> You forgot gpg --send-keys (newguyskey) and the fact that signatures on
> a key are actually ment as a statement that the signer has checked the
> key owner's identity and not as a sign that someone belongs to a group
> or something...

While the common usage for regular users is to sign based on checking identity, signatures can be just as well used as a token to indicate membership.   For example, the PGP product has the concept of a "Corporate Signing Key", which is used to sign employee keys to indicate they are genuine (and their keyserver can actually enforce this).  They are not signing to say that Alice is Alice, they are signing to say that Alice is Alice, and works for Company X (i.e. they would not sign Alice's personal key).

If I was going to do this with a group, like above, I'd probably make a special Group Signing Key to issue the membership signatures to avoid confusing my personal signatures with the group membership ones, though.

David




More information about the Gnupg-users mailing list