-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/02/15 13:30, Kristian Fiskerstrand wrote: > Unless you rely on a trusted third party to provide signature stamps, > signature dates can be forged. A key revocation should result in immediate > questioning of all aspects of the key, as it currently does.
Does GnuPG consciously not follow the RFC here then? Otherwise, what does this mean (RFC 4880 section 5.2.23, Reason for Revocation subpacket): > An implementation SHOULD implement this subpacket, include it in all > revocation signatures, and interpret revocations appropriately. There are > important semantic differences between the reasons, and there are thus > important reasons for revoking signatures. > > If a key has been revoked because of a compromise, all signatures created > by that key are suspect. However, if it was merely superseded or retired, > old signatures are still valid. What is the important semantic difference between "Key is superseded" and "Key material has been compromised", if past signatures are immediately questioned? Peter. PS: Odd turn of the sentence, "there are thus important reasons for revoking signatures." I wonder if they intended "there are thus important reasons for handling the cases differently". - -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
