(bug?) Revoked keys and past signatures

Hugo Osvaldo Barrera hugo at barrera.io
Tue Feb 10 14:37:38 CET 2015


On 2015-02-10 13:30, Kristian Fiskerstrand wrote:
> On 02/10/2015 01:24 PM, Peter Lebbing wrote:
> > On 10/02/15 12:52, Kristian Fiskerstrand wrote:
> >> No, the signature is still valid:
> >> 
> 
> > 
> > Why? The key was revoked because it was superseded or has been
> > retired, not because it was stolen or compromised.
> > 
> 
> Unless you rely on a trusted third party to provide signature stamps,
> signature dates can be forged. A key revocation should result in
> immediate questioning of all aspects of the key, as it currently does.
> 

There is no reason to assume that the signature has been forged if the key has
not been compromised.

Also, I see no reason why I should not be able to assign a trust to a revoked
key - I might trust it even if the author revoked it as superseded:


  $ gpg --edit 1BFBED44
  [... info on revoked key ...]
  gpg> lsign
  Key is revoked.  Unable to sign.

I believe the reason matters. I can even sit down with the owner of the key and
verify his ID and fingerprint and sign it, meaning "this key belongs to this
person, but was superseeded a week ago". If actually influences the validity of
anything he signed up to a week ago.

-- 
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: </pipermail/attachments/20150210/52496041/attachment.sig>


More information about the Gnupg-users mailing list