While implementing revocation key ("designated revoker") support for
GnuPG, I came across what seems to be a problem in the specificaiton
of revocation keys.
The RFC says the key designated as the revocation key can issue
several types of revocations: key revocations (0x20), subkey
revocations (0x28), and certificate revocations (0x30). The first two
are not a problem since there is no confusion as to what they revoke.
The problem with certificate revocations is that it is not possible in
some cases to know which certificate is being revoked. For example,
take Alice, Bob, and Charlie. Bob is Alice's designated revoker.
Alice and Bob have both signed Charlie's key. Now Alice asks Bob to
revoke her signature on Charlie's key.
Since both Alice and Bob have signed Charlie's key, and the format of
a revocation that is issued by a designated revoker is the same as a
revocation issued by the key owner, the OpenPGP program has no way to
tell which certification is being revoked: is it Bob's or is it
A while back, someone suggested a "revocation target" signature
subpacket for revocation signatures that would contain the hash of the
signature that was being revoked. That would fix this problem, but
I'm open to any solution - does it even make sense to allow a
revocation key to issue certificate revocations? I always thought of
the revocation key as the "revoker of last resort" - more for
emergency key revocations in case of compromise or secret key loss
than for fine-grained control of previously issued signatures.
David Shaw | Technical Lead
<dshaw(_at_)akamai(_dot_)com> | Enterprise Content Delivery
617-250-3028 | Akamai Technologies