On Thu, Jan 29, 2009 at 9:53 PM, David Shaw <dshaw(_at_)jabberwocky(_dot_)com>
wrote:
0x1F: which one would I have to use for that? A 0x20 key revocation
signature? Or would the completely revoke the whole key.
You revoke a 0x1F with a 0x30, same as you would use to revoke a
0x10-0x13. 0x1F is a certification.
Ooops XD
Does the whole thing make sense anyway? I mean would it be a clean or
at least working way to force ANY implementation to use only the most
recent self-signatures?
I suspect it wouldn't hurt, but wouldn't help much either. For
example, given this:
Signature === January 1
Signature === January 3
Signature === January 5
it is clear that the January 5 signature is the latest and the one to
use. Given this:
Signature === January 1
Revocation === January 2
Signature === January 3
Revocation === January 4
Signature === January 5
It's still clear which signature is the right one.
Yes, but it's not only clear. It is the ONLY way when following the RFC.
But in the example from above (I've added some information to it):
Signature using MD5 === January 1
Signature using MD5 === January 3
Signature using SHA256 === January 5
and implementation could say "oh I just understand MD5 and SHA1, but
not SHA256... well the MD5 from 03.01. isn't the most recent, but at
leas I understand it"
I suppose if you had an implementation that insisted on using the
first signature, regardless of the date, then the revocations would
force it to look at the last signature.. but then, an implementation
that did that may have other odd semantics elsewhere.
Of course...
It may conclude
that there is no signature at all (after all, the one signature it was
looking at is revoked).
Well,... even better than perhaps using the "dangerous" signature from
January the 1st, isn't it?
Would it work with the mayor implementations, PGP and GnuPG?
It would work in GnuPG.
Hal, Jon, would it work with PGP?
And would you experts here suggest to do the whole
revoke-old-self-sigs-trick in order to prevent that kind of "downgrade
attacks" (and possibly other evil things) I tried to describe above?
Thanks for your advice,
Peter