Revoked keys and past signatures
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Feb 9 20:34:07 CET 2015
On Mon 2015-02-09 12:54:33 -0500, Hugo Osvaldo Barrera wrote:
> Out of curiosity: is the revocation reason even saved? Would it be possible for
> gpg to actually use it in future?
Yes, the revocation reason *is* stored in the revocation signature, in
the "reason for revocation" subpacket:
https://tools.ietf.org/html/rfc4880#section-5.2.3.23
My understanding was that gpg actually does use the revocation reason,
but i'm aware that this disagrees with what Peter Lebbing said. i
haven't gone ahead and tested this lately.
For example, here's an old key of mine that was revoced with the reason
"superseded":
0 dkg at alice:~$ gpg --export-options export-minimal --export 0x8974E514A54B6365 | gpg --list-packets | grep revocation\ reason
hashed subpkt 29 len 205 (revocation reason 0x01 (This key has been superseded by D21739E9\nMy new key's fingerprint is: 0EE5 BE97 9282 D80B 9F75 40F1 CCD2 ED94 D217 39E9\nPlease see http://fifthhorseman.net/key-transition-2007-06-15.txt for more details.))
0 dkg at alice:~$
the *date* of your "key was superceded" revocation is relevant, though.
Any certifications that claim to have happened after the date of the
revocation *should* be considered invalid, whereas revocations that
happen before that date (but after the key creation date) should retain
their validity.
--dkg
More information about the Gnupg-users
mailing list