Revoked keys and past signatures

Peter Lebbing peter at digitalbrains.com
Mon Feb 9 14:28:19 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/02/15 20:06, Hugo Osvaldo Barrera wrote:
> Does this mean that if someone revokes their key today, *all past*
> signatures become invalid?

I believe so, yes. You should probably have expired it instead, sorry.

Suppose it is revoked because someone stole the key; then that person could
fake signatures set in the past; faking the time. If GnuPG accepted them
because at that time the key wasn't revoked yet, that would create a security
issue.

And GnuPG, AFAIK, doesn't do anything with the "revocation reason", so it will
see all revocations the same.

If you haven't uploaded the revocation to a key server, it is possible to have
it unrevoked; your correspondents would need to delete their copy of your
public key and only after that import your new unrevoked key. Say so if you
want me to explain how to surgically alter a key to no longer be revoked. This
however doesn't help when it's already on a keyserver; they will still keep it
revoked no matter what you do.

HTH,

Peter.

- -- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list