On Thu, Jan 29, 2009 at 11:30 PM, David Shaw <dshaw(_at_)jabberwocky(_dot_)com>
wrote:
It doesn't actually revoke all of them. A 0x30 revocation on a 0x1F
signature revokes (potentially) all of them that are a) from the same
issuer (or from that issuer's designated revoker), and b) timestamped
earlier than the revocation. It cannot revoke ones that come after
it.
Uhm? Why this? I'd thought it would only revoke the specifically
revoked signature, as "the signature is computed over the same data as
the certificate that it revokes".
Am I missing something?
Even then there is the possibility of confusion of which signature you
intend to revoke. In those cases, you can always specify a particular
signature to revoke using the Signature Target subpacket in the
revocation. Arguably, you could even revoke multiple signatures with
one revocation by using multiple subpackets.
Not, it should be pointed out, that many (any?) implementations
support Signature Targets yet. But the semantics are there.
Uhm ok,.. so how does an implementation figure out which certificate
is revoked by a revocation signature?