A problem in the web of trust model or a gnupg bug?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Feb 25 00:45:18 CET 2016

On Fri 2016-02-19 08:26:12 -0500, Peter Lebbing wrote:
> I can't reproduce this. A revocation correctly invalidates any
> certifications *both* before or after the moment of revocation. After
> all, the time can be faked.[1]
> I tested with no "revocation reason" specified, by the way. But I don't
> think GnuPG uses the revocation reason for anything, although I'm not
> 100% sure.

according to https://tools.ietf.org/html/rfc4880#section- :

   If a key has been revoked because of a compromise, all signatures
   created by that key are suspect.  However, if it was merely
   superseded or retired, old signatures are still valid.  If the
   revoked signature is the self-signature for certifying a User ID, a
   revocation denotes that that user name is no longer in use.  Such a
   revocation SHOULD include a 0x20 code.

so the reason for revocation should affect whether signatures made
before the revocation are worthy of consideration.  however, "no reason
specified" should default to the safer/harsher situation, where all
signatures made by that key are no longer considered, regardless of



More information about the Gnupg-users mailing list