(bug?) Revoked keys and past signatures

Hauke Laging mailinglisten at hauke-laging.de
Tue Feb 10 19:20:03 CET 2015


Am Di 10.02.2015, 13:01:17 schrieb Daniel Kahn Gillmor:

> > I can even sit down with the owner of
> > the key and verify his ID and fingerprint and sign it, meaning
> > "this key belongs to this person, but was superseeded a week ago".
> > If actually influences the validity of anything he signed up to a
> > week ago.

I support this attitude.


> your certifications (whether local or exportable) themselves have a
> timestamp in them.  It would be silly to certify a key and its user ID
> after it was revoked by the owner; you'd be claiming "i believe that
> right now this is the correct key", which is not the case.

And who says that this is the statement? The RfC? I think that faking 
cannot be a good idea in a crypto context. What if the signing key was 
created after the revocation? What would that look like? It must be 
possible for people who have only newer keys to make a "the owner of 
this key is X" statement.


> I understand the semantics of what you're trying to do, but i'm not
> sure that OpenPGP has syntax to represent it.

I don't see any problem with the syntax. The problem is the lack of 
semantic definition. The next OpenPGP version should address that at any 
rate.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150210/9cb19b73/attachment.sig>


More information about the Gnupg-users mailing list