-----BEGIN PGP SIGNED MESSAGE-----
<disastry(_at_)saiknes(_dot_)lv> wrote:
do not forget that sigs can be revoked not only by the *same creator*,
but also by *designated revoker*.
(AFAIK currently no PGP implementation supports designated revokers for
userid signatures, but it is allowed in 5.2.1. 0x30)
I couldn't believe this, so I had to reread the spec, and indeed
that's what it says. Is it really intended that a designated revoker
should be able to revoke other *certifications* (not just the key)?
[Arguably, a revoker subpacket in a certification would permit that.
We're talking about a revoker subpacket in the key self-signature here.]
Indeed, PGP6.5 does not support this. It provides no way to generate
one, and even if it receives such a certificate revocation, it
applies only to the issuer (not keys for which it is designated).
[In fact, it isn't applied to subsequent signatures by the issuer,
suggesting that either: it is caching the validity computation
(but asking for reverification doesn't help), or it is applying
a "most recent prevails" rule.]
btw currently there is not possible to know what is
revoked by designated revoker - keys self signature or
...
Indeed, this is why this is a bad idea. I feel strongly that
a "designated revoker" subpacket should apply to only that
certificate. Usually that's a key-only self-signature,
and a revocation on that would affect *any* other signatures
made by that key.
11.1. says that key and subkey revocation is *before* signatures.
why make it different for userid revocation?
Fair point... "immediately preceding" would be more consistent.
But I am willing to give up on this.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBO5lEgmNDnIII+QUHAQFXbQf+Ktb06chrGiXgI3c7djOQWeNcd8Hw9D5B
qWGwHllrc03k8kaR3onkm1t6HYhLZqSbSLBspJWcNwBxHl+nmb8uIWSnOlBqukjO
ZpMrs4eZGt7sRTFGMiYu/F+O8EezlOleOpVzGzjqJdGMC/tgenB0Avp0c6ZLYF3A
7o3WjkQ9bTmnBe+PXIehtFROVyKyYpyrQrVk9jdmiM0fhUhzekQ1w0wJGyTmppeh
EX5BOKSkLcRYq6pKJtvlIVbT8liVWfJh9MWBaQBWBs4YJj/3DmoDcZzLqh0Dbsha
/ijzKO9tzPsfM8phAH5NRL2yTjUN4a9fXdhG1JnZOxMYN+Upt/fD+g==
=NFrt
-----END PGP SIGNATURE-----