(bug?) Revoked keys and past signatures

Ingo Klöcker kloecker at kde.org
Tue Feb 10 22:03:56 CET 2015


On Tuesday 10 February 2015 10:37:38 Hugo Osvaldo Barrera wrote:
> On 2015-02-10 13:30, Kristian Fiskerstrand wrote:
> > On 02/10/2015 01:24 PM, Peter Lebbing wrote:
> > > On 10/02/15 12:52, Kristian Fiskerstrand wrote:
> > >> No, the signature is still valid:
> > > Why? The key was revoked because it was superseded or has been
> > > retired, not because it was stolen or compromised.
> > 
> > Unless you rely on a trusted third party to provide signature stamps,
> > signature dates can be forged. A key revocation should result in
> > immediate questioning of all aspects of the key, as it currently does.
> 
> There is no reason to assume that the signature has been forged if the key
> has not been compromised.
> 
> Also, I see no reason why I should not be able to assign a trust to a
> revoked key - I might trust it even if the author revoked it as superseded:
> 
> 
>   $ gpg --edit 1BFBED44
>   [... info on revoked key ...]
>   gpg> lsign
>   Key is revoked.  Unable to sign.
> 
> I believe the reason matters. I can even sit down with the owner of the key
> and verify his ID and fingerprint and sign it, meaning "this key belongs to
> this person, but was superseeded a week ago". If actually influences the
> validity of anything he signed up to a week ago.

Use gpg --lsign --expert 1BFBED44 to sign the key despite the revocation.

But this won't change the validity of the key. The validity of a revoked key 
is (and remains for all times) "revoked" (as far as gpg is concerned).


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150210/41d06816/attachment.sig>


More information about the Gnupg-users mailing list