----- Original Message -----
From: "David Shaw" <dshaw(_at_)akamai(_dot_)com>
To: <ietf-openpgp(_at_)imc(_dot_)org>
Sent: Tuesday, February 26, 2002 6:57 PM
Subject: Re: Revocation key difficulty
On Tue, Feb 26, 2002 at 05:22:35PM -0600,
john(_dot_)dlugosz(_at_)kodak(_dot_)com wrote:
Hmm, so how would it be used? Alice had signed Charlie's key, and now
Alice's key is compromised, so Bob decides to remove Alice's signature
from
Charlie's key. Why?
...
Exactly. It seems to make more sense to Bob for issue a general key
revocation (sigclass 0x20) for Alice's key, rather than issue a
certification revocation (sigclass 0x30) for Alice's signature on
Charlie's key.
...
A possible reason why it may be beneficial to to have a revoker selectively
revoke only the signature,
may be if one is forced to give up an RSA encryption key.
{Hopefully, this should never have to be, and the session key should be
enough for the authorities,
but if it 'were' to happen ...,}
Then, to avoid anyone else signing with Alice's key {if it would be
surrendered},
Alice may want two separate RSA keys, her original one for encrypting, and
another one for signing.
Alice then publicly declares that she is no longer signing with her original
RSA key.
Sometime later, someone else's key that Alice once signed, is now
'questionable', and Alice wants her signature removed.
Now her designated revoker can accomplish this.
vedaal