Revoke signature from key

Grant Olson kgo at grant-olson.net
Mon Mar 21 21:51:12 CET 2011


On 03/21/2011 04:18 PM, Daniel Kahn Gillmor wrote:
> On 03/21/2011 04:05 PM, David Shaw wrote:
>> While the common usage for regular users is to sign based on checking identity, signatures can be just as well used as a token to indicate membership.   For example, the PGP product has the concept of a "Corporate Signing Key", which is used to sign employee keys to indicate they are genuine (and their keyserver can actually enforce this).  They are not signing to say that Alice is Alice, they are signing to say that Alice is Alice, and works for Company X (i.e. they would not sign Alice's personal key).
>>
>> If I was going to do this with a group, like above, I'd probably make a special Group Signing Key to issue the membership signatures to avoid confusing my personal signatures with the group membership ones, though.
> 
> If i was going to try to indicate more than a simple identity binding
> with an OpenPGP signature, i'd define an OpenPGP notation [0] and
> include the relevant subpacket in my signature.
> 
> This way, the same signing key is capable of making identity
> certifications *and* identity+metadata certifications.
> 

But that doesn't provide any easy way for me to only trust your
identity+metadata certifications, if, for example, I trust you to sign
in your role for a company, but don't trust or care about your
personally-issued sigs.  Instead of signing your key, I need to manually
inspect any and all keys that may have your signature.

-- 
-Grant

"Look around! Can you construct some sort of rudimentary lathe?"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110321/6a130c93/attachment.pgp>


More information about the Gnupg-users mailing list