At 8:49 PM -0400 4/17/02, David Shaw wrote:
The first item is that there is no way to revoke a 0x1F signature.
Since the designated revoker information is contained in an 0x1F
signature, this means that once a user designates a designated
revoker, the user cannot later undo the designation if circumstances
change.
I'd like to request a new signature class to indicate a 0x1F
revocation or an expansion of the meaning of one of the existing
revocation signature classes to include 0x1F signatures.
It is the intent of the designated revoker feature that it cannot be
revoked. Otherwise it's too hairy for words.
Here's a scenario: Suppose Alice is your designated revoker. You discover
that your key is being used by persons unknown for purposes you don't
approve of -- oh, like spending your money. Let's also assume that you no
longer have the secret key (let's say your laptop was stolen).
You visit Alice, explaining the problem, and she generates a revocation for
your certificate. After all, that's why she's your revoker. Alice sends it
to the world. Or you send it to the world for Alice.
The next day, a merchant cashes another bogus check. You call up the
merchant and ask, "What the heck are you doing? Didn't you see Alice's
revocation of that key." The merchant replies, "Yeah, but I also have a
revocation of Alice's revoker status dated April 1, 1999."
How do you revoke your key if the revocation can be revoked? If your key is
compromised, the person who has it can do anything they want, including
revoke your revoker. The designated revoker might as well not be there if
it's not irrevocable. Now it's true, we also have an irrevocability
subpacket. But nonetheless, it can't be revocable.
Jon