Revoke signature from key

David Shaw dshaw at jabberwocky.com
Mon Mar 21 23:04:24 CET 2011 

On Mar 21, 2011, at 4:18 PM, Daniel Kahn Gillmor wrote:

> On 03/21/2011 04:05 PM, David Shaw wrote:
>> While the common usage for regular users is to sign based on checking identity, signatures can be just as well used as a token to indicate membership.   For example, the PGP product has the concept of a "Corporate Signing Key", which is used to sign employee keys to indicate they are genuine (and their keyserver can actually enforce this).  They are not signing to say that Alice is Alice, they are signing to say that Alice is Alice, and works for Company X (i.e. they would not sign Alice's personal key).
>> 
>> If I was going to do this with a group, like above, I'd probably make a special Group Signing Key to issue the membership signatures to avoid confusing my personal signatures with the group membership ones, though.
> 
> If i was going to try to indicate more than a simple identity binding
> with an OpenPGP signature, i'd define an OpenPGP notation [0] and
> include the relevant subpacket in my signature.
> 
> This way, the same signing key is capable of making identity
> certifications *and* identity+metadata certifications.
> 
> For example, to indicate that the holder of $keyid will be employed by
> the technical support department of Example Corp for the next year:
> 
> gpg --sign-key --cert-notation 'department at example.com=tech-support' \
>    --default-cert-expire 1y "$keyid"
> 
> (and proceed with the usual identity checks as well)

I think this is more flexible of an answer, but it requires client support that doesn't currently exist.  Without the client support, users will have to check such signatures by hand and their web of trust cannot be automatically built by the client.

Having a corporate signing key addresses the issue on current clients in two steps: import and then (l)sign the CSK.  The PGP product actually does this sort of thing automatically (new users can be configured to automatically import and lsign the CSK whenever they generate a key, so this "just works" for them).

David

More information about the Gnupg-users mailing list