(bug?) Revoked keys and past signatures

Hugo Osvaldo Barrera hugo at barrera.io
Tue Feb 10 14:37:38 CET 2015

On 2015-02-10 13:30, Kristian Fiskerstrand wrote:
> On 02/10/2015 01:24 PM, Peter Lebbing wrote:
> > On 10/02/15 12:52, Kristian Fiskerstrand wrote:
> >> No, the signature is still valid:
> >> 
> > 
> > Why? The key was revoked because it was superseded or has been
> > retired, not because it was stolen or compromised.
> > 
> Unless you rely on a trusted third party to provide signature stamps,
> signature dates can be forged. A key revocation should result in
> immediate questioning of all aspects of the key, as it currently does.

There is no reason to assume that the signature has been forged if the key has
not been compromised.

Also, I see no reason why I should not be able to assign a trust to a revoked
key - I might trust it even if the author revoked it as superseded:

  $ gpg --edit 1BFBED44
  [... info on revoked key ...]
  gpg> lsign
  Key is revoked.  Unable to sign.

I believe the reason matters. I can even sit down with the owner of the key and
verify his ID and fingerprint and sign it, meaning "this key belongs to this
person, but was superseeded a week ago". If actually influences the validity of
anything he signed up to a week ago.

Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: </pipermail/attachments/20150210/52496041/attachment.sig>

More information about the Gnupg-users mailing list