(bug?) Revoked keys and past signatures

Peter Lebbing peter at digitalbrains.com
Tue Feb 10 13:51:10 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/15 13:30, Kristian Fiskerstrand wrote:
> Unless you rely on a trusted third party to provide signature stamps, 
> signature dates can be forged. A key revocation should result in immediate
> questioning of all aspects of the key, as it currently does.

Does GnuPG consciously not follow the RFC here then? Otherwise, what does this
mean (RFC 4880 section 5.2.23, Reason for Revocation subpacket):

> An implementation SHOULD implement this subpacket, include it in all 
> revocation signatures, and interpret revocations appropriately. There are
> important semantic differences between the reasons, and there are thus
> important reasons for revoking signatures.
> 
> If a key has been revoked because of a compromise, all signatures created
> by that key are suspect.  However, if it was merely superseded or retired,
> old signatures are still valid.

What is the important semantic difference between "Key is superseded" and "Key
material has been compromised", if past signatures are immediately questioned?

Peter.

PS: Odd turn of the sentence, "there are thus important reasons for revoking
signatures." I wonder if they intended "there are thus important reasons for
handling the cases differently".

- -- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list