A problem in the web of trust model or a gnupg bug?

Andrea Dari andreadari91 at gmail.com
Fri Feb 19 15:12:34 CET 2016


1) This is the general situation:

http://pastebin.com/NXuJj2h5

User one is the user that i fully trust and has a revocation dated on 18
February 2016

2) Here you can see User one pbkey details:

http://pastebin.com/g2tQKzPN

3) Here you can see that user three is treated with validity = full even if
it is signed after the revocation of User one key.

http://pastebin.com/EEGXcNa2

Fortunately, this is not a real situation, but I tested it to understand
what happened in this cases; because i wasn't able to find any
documentation about it.


2016-02-19 14:26 GMT+01:00 Peter Lebbing <peter at digitalbrains.com>:

> I can't reproduce this. A revocation correctly invalidates any
> certifications *both* before or after the moment of revocation. After
> all, the time can be faked.[1]
>
> I tested with no "revocation reason" specified, by the way. But I don't
> think GnuPG uses the revocation reason for anything, although I'm not
> 100% sure.
>
> Could you show some of the output you get, possibly redacted for privacy?
>
> As a very simple explanation, are you overlooking a different
> certification on the key that is still valid and trusted?
>
> I used GnuPG 2.1.11.
>
> HTH,
>
> Peter.
>
> [1] Other than that, if you revoke a key using the revocation
> certificate you made when the key was created, it will show a revocation
> date equal to the creation date even though you only uploaded the
> certificate years later, for example. Even if only certifications made
> after revocation would be invalidated, that situation would still
> invalidate all revocations, since they're all later than the key
> creation. This is not very relevant to your problem, though, I just
> thought it was an interesting observation.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160219/b8967188/attachment.html>


More information about the Gnupg-users mailing list