A problem in the web of trust model or a gnupg bug?

Andrea Dari andreadari91 at gmail.com
Fri Feb 19 11:25:28 CET 2016


In my public keyring I have a public key signed in date 19 February 2016 by
a user (pbkey) that I trust fully, but the same pbkey of the user that I
trust is revoked in date 18 February 2016.

So the question is, how can be possible that a pbkey signed after a key
revocation, which could be easily done by a malicious user, is treated by
gnupg as validate fully?

This, in my opinion, should breaks the chain of trust for keys signed after
a key revocation.

A possible solution could be to change the trust of the key revoked from
full to untrusted, but in that case all the keys signed before the
revocation will be treated as validate unknown which is not what a user
could want.

Thanks to those who want to respond.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160219/4d66a315/attachment.html>

More information about the Gnupg-users mailing list