ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Identifying revoked certificates

2001-09-07 15:08:39
from [Michael Young] [Permanent Link] 

-----BEGIN PGP SIGNED MESSAGE-----

<disastry(_at_)saiknes(_dot_)lv> wrote:

do not forget that sigs can be revoked not only by the *same creator*,
but also by *designated revoker*.
(AFAIK currently no PGP implementation supports designated revokers for
userid signatures, but it is allowed in 5.2.1. 0x30)


I couldn't believe this, so I had to reread the spec, and indeed
that's what it says.  Is it really intended that a designated revoker
should be able to revoke other *certifications* (not just the key)?

[Arguably, a revoker subpacket in a certification would permit that.
We're talking about a revoker subpacket in the key self-signature here.]

Indeed, PGP6.5 does not support this.  It provides no way to generate
one, and even if it receives such a certificate revocation, it
applies only to the issuer (not keys for which it is designated).
[In fact, it isn't applied to subsequent signatures by the issuer,
suggesting that either: it is caching the validity computation
(but asking for reverification doesn't help), or it is applying
a "most recent prevails" rule.]


btw currently there is not possible to know what is
revoked by designated revoker - keys self signature or

...

Indeed, this is why this is a bad idea.  I feel strongly that
a "designated revoker" subpacket should apply to only that
certificate.  Usually that's a key-only self-signature,
and a revocation on that would affect *any* other signatures
made by that key.


11.1. says that key and subkey revocation is *before* signatures.
why make it different for userid revocation?


Fair point... "immediately preceding" would be more consistent.
But I am willing to give up on this.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBO5lEgmNDnIII+QUHAQFXbQf+Ktb06chrGiXgI3c7djOQWeNcd8Hw9D5B
qWGwHllrc03k8kaR3onkm1t6HYhLZqSbSLBspJWcNwBxHl+nmb8uIWSnOlBqukjO
ZpMrs4eZGt7sRTFGMiYu/F+O8EezlOleOpVzGzjqJdGMC/tgenB0Avp0c6ZLYF3A
7o3WjkQ9bTmnBe+PXIehtFROVyKyYpyrQrVk9jdmiM0fhUhzekQ1w0wJGyTmppeh
EX5BOKSkLcRYq6pKJtvlIVbT8liVWfJh9MWBaQBWBs4YJj/3DmoDcZzLqh0Dbsha
/ijzKO9tzPsfM8phAH5NRL2yTjUN4a9fXdhG1JnZOxMYN+Upt/fD+g==
=NFrt
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Identifying revoked certificates, Michael Young
Next by Date:  Re: Identifying revoked certificates, Werner Koch
Previous by Thread:  Re: Identifying revoked certificates, disastry
Indexes:  [Date] [Thread] [Top] [All Lists]