Revoked keys and past signatures

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Feb 9 20:34:07 CET 2015


On Mon 2015-02-09 12:54:33 -0500, Hugo Osvaldo Barrera wrote:
> Out of curiosity: is the revocation reason even saved? Would it be possible for
> gpg to actually use it in future?

Yes, the revocation reason *is* stored in the revocation signature, in
the "reason for revocation" subpacket:

   https://tools.ietf.org/html/rfc4880#section-5.2.3.23

My understanding was that gpg actually does use the revocation reason,
but i'm aware that this disagrees with what Peter Lebbing said. i
haven't gone ahead and tested this lately.

For example, here's an old key of mine that was revoced with the reason
"superseded":

0 dkg at alice:~$ gpg --export-options export-minimal --export 0x8974E514A54B6365 | gpg --list-packets | grep revocation\ reason
	hashed subpkt 29 len 205 (revocation reason 0x01 (This key has been superseded by D21739E9\nMy new key's fingerprint is: 0EE5 BE97 9282 D80B 9F75  40F1 CCD2 ED94 D217 39E9\nPlease see http://fifthhorseman.net/key-transition-2007-06-15.txt for more details.))
0 dkg at alice:~$ 

the *date* of your "key was superceded" revocation is relevant, though.
Any certifications that claim to have happened after the date of the
revocation *should* be considered invalid, whereas revocations that
happen before that date (but after the key creation date) should retain
their validity.

           --dkg



More information about the Gnupg-users mailing list