On Fri, 27 Jul 2012 06:39, dkg(_at_)fifthhorseman(_dot_)net said:
the first octet). Key revocation signatures (types 0x20 and 0x28)
hash only the key being revoked.
[...]
This text goes back to the very first published draft from March 98 (the
I-D states 1997, but this is a typo).
The subkey revocation packet generated by GnuPG 1.4.12 appears to be
made over a digest that includes both the primary key and the subkey.
So PGP and GnuPG we have never been OpenPGP compliant. Good catch.
I don't have that old OpenPGP toolkit implementation anymore around. We
should check what it does.
The way it is implemented by GnuPG and PGP might technically be
justified by:
0x28: Subkey revocation signature
The signature is calculated directly on the subkey being revoked.
A revoked subkey is not to be used. Only revocation signatures
by the top-level signature key that is bound to this subkey, or
by an authorized revocation key, should be considered valid
revocation signatures.
With the exception of an authorized revocation key, the primary key is
required to check the signature and thus it needs to be available.
Hashing the primary key along with the subkey is what we have to do for
other key signatures anyway.
We would need to dive into the WG archives to see why we came up with
the specific requirement.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp