Revoked keys and past signatures

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Tue Feb 10 12:52:41 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 02/10/2015 12:28 PM, Peter Lebbing wrote:
> On 09/02/15 20:34, Daniel Kahn Gillmor wrote:
>> the *date* of your "key was superceded" revocation is relevant, 
>> though. Any certifications that claim to have happened after the
>> date of the revocation *should* be considered invalid, whereas
>> revocations that happen before that date (but after the key
>> creation date) should retain their validity.
> 

...

> 
> That's twenty minutes later. I don't see a reason for GnuPG to
> round to full days when it has resolution down to the second for
> the times the signatures (data, revocation) are made... is there?

No

> 
> The RFC clearly states "key superseded" doesn't invalidate old
> signatures:

And it doesn't

> 
>> However, if it was merely superseded or retired, old signatures
>> are still valid.
> 
> But using GnuPG 2.0.26 on Debian jessie/testing, package 2.0.26-4,
> I can reproduce signatures becoming invalid... what's going on?
> Does GnuPG not implement the RFC here or is it a bug?

No, the signature is still valid:

> $ gpg2 --verify test.gpg gpg: Signature made Tue 10 Feb 2015
> 11:53:47 CET using RSA key ID
B2F1C0D8
> gpg: Good signature from "Testkey 3" [unknown]
^^^^^^^^^^^^^^^^^^^^^^

> gpg: WARNING: This key has been revoked by its owner! gpg:
> This could mean that the signature is forged. gpg: reason for
> revocation: Key is superseded gpg: revocation comment: Test
> revocation gpg: WARNING: This key is not certified with a trusted
> signature! gpg:          There is no indication that the signature
> belongs to the owner. Primary key fingerprint: EFF1 596F 1A68 F708
> 8699  579D 0815 4E55
B2F1 C0D8

... However you have an unknown situation wrt the validity of the key
having issued the signature, you get the additional information and
you need to make your own considerations as to the validity of the key
at the present stage
- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Credo quia absurdum
I believe it because it is absurd
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJU2fECAAoJEP7VAChXwav6ou8IAK9zhGomCj7qmpBgo2DOn0BM
fLTJXb3iUvDQgzuzYi+UIrj5L+2CaCllSQlFdDkcZfaH0FbT184j39VAhhc73liR
VhLqn2kSByi8OQTMjR0A7OdMCKDExgcI98jr5GF4v4KsSnwk61BYnrTtGVb7/h0L
kqQwIFxwVSrbxxFouv5nG5dQeAWW26YyDpPmUDTyaF3ANuCeDEtpfE1UrI9NBRMH
T6xUoHW45OxkZkodDIbTwT8FpUZpM24d5oYqO+Fmyy7JcNUW8Z+iHhFhtv+6Xvpy
dPISOnkXI8hstPrFDmKB8nYleU4vhlf5LEqCcaqcnxNvbczGUPIV+1rjAcJ5+TA=
=MCEY
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list