Re: [openpgp] Revocations of third-party certifications (TPK+"CRL") [was: draft-dkg-openpgp-abuse-resistant-keystore-04.txt]
2019-08-23 15:42:13On Fri 2019-08-23 11:48:41 -0400, vedaal(_at_)nym(_dot_)hush(_dot_)com wrote:
What if the third party signature just had an 'expiration' option ? (e.g. Signature validity: 0, Forever; 1, 1 year; n, n years)
This is already possible! Most third-party certifications i make have such an expiration. It works fine with most implementations afaict. however, expirations are not the same as revocations.
This allows for 'expiration' of validation in the event of possible compromise, and if it is not compromised, then the signer can 're-sign'/'update' the certification, send it to the key owner, who can then upload it to the server.
In the scenario i described, the "key owner" is non-responsive, but the
certifier still wants to make sure her certification is visibly revoked.
She can't rely on the key owner's responsiveness -- they could even be
dead! Her obligations are to the people who rely on her certifications,
and she needs to make the revocation visible to them promptly,
regardless of how the first party behaves.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ openpgp mailing list openpgp(_at_)ietf(_dot_)org https://www.ietf.org/mailman/listinfo/openpgp
| Previous by Date: | Re: [openpgp] email death certificates, Stephen Farrell |
|---|---|
| Next by Date: | Re: [openpgp] email death certificates, Michael Richardson |
| Previous by Thread: | Re: [openpgp] Revocations of third-party certifications (TPK+"CRL") [was: draft-dkg-openpgp-abuse-resistant-keystore-04.txt], vedaal |
| Next by Thread: | Re: [openpgp] Revocations of third-party certifications (TPK+"CRL") [was: draft-dkg-openpgp-abuse-resistant-keystore-04.txt], Benjamin Kaduk |
| Indexes: | [Date] [Thread] [Top] [All Lists] |