At 10:46 AM +0200 5/26/00, Florian Weimer wrote:
From draft-ietf-openpgp-rfc2440bis-00, 5.2.3.23, "Reason for
Revocation":
| A revoked certification no longer is a part of validity
| calculations.
We were a bit surprised when we discovered this change to RFC 2440
because RFC 2440 primarily specifies the OpenPGP message format,
and not the behavior of implementations when they encounter certain
OpenPGP messages, much to our discomfort.
Umm, so what is the problem? Is there a reason that a revoked certification
*should* be part of validity calculations?
You're correct that 2440 is a syntax document, not a semantics document.
However, there are times when you have to hint at semantics when you're
describing syntax.
In this particular case, OpenPGP does not specify a trust model. At one
time, there were going to be a series of documents describing various trust
models that one might use (for example, the so-called web of trust), but no
one has seen fit to write these documents.
However, even though we don't specify what validity calculations to use,
there are nonetheless syntactic things we have to say about them. Whatever
validity model you're using, it seems pretty straight forward that a
revoked certification is null and void. That's all this is saying. It's in
2440bis because consensus asked that it be there.
Jon