Revoke signature from key
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Mar 21 21:18:09 CET 2011
On 03/21/2011 04:05 PM, David Shaw wrote:
> While the common usage for regular users is to sign based on checking identity, signatures can be just as well used as a token to indicate membership. For example, the PGP product has the concept of a "Corporate Signing Key", which is used to sign employee keys to indicate they are genuine (and their keyserver can actually enforce this). They are not signing to say that Alice is Alice, they are signing to say that Alice is Alice, and works for Company X (i.e. they would not sign Alice's personal key).
> If I was going to do this with a group, like above, I'd probably make a special Group Signing Key to issue the membership signatures to avoid confusing my personal signatures with the group membership ones, though.
If i was going to try to indicate more than a simple identity binding
with an OpenPGP signature, i'd define an OpenPGP notation  and
include the relevant subpacket in my signature.
This way, the same signing key is capable of making identity
certifications *and* identity+metadata certifications.
For example, to indicate that the holder of $keyid will be employed by
the technical support department of Example Corp for the next year:
gpg --sign-key --cert-notation 'department at example.com=tech-support' \
--default-cert-expire 1y "$keyid"
(and proceed with the usual identity checks as well)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1030 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users