On Fri 2016-02-19 08:26:12 -0500, Peter Lebbing wrote: > I can't reproduce this. A revocation correctly invalidates any > certifications *both* before or after the moment of revocation. After > all, the time can be faked.[1] > > I tested with no "revocation reason" specified, by the way. But I don't > think GnuPG uses the revocation reason for anything, although I'm not > 100% sure.
according to https://tools.ietf.org/html/rfc4880#section-5.2.3.23 : If a key has been revoked because of a compromise, all signatures created by that key are suspect. However, if it was merely superseded or retired, old signatures are still valid. If the revoked signature is the self-signature for certifying a User ID, a revocation denotes that that user name is no longer in use. Such a revocation SHOULD include a 0x20 code. so the reason for revocation should affect whether signatures made before the revocation are worthy of consideration. however, "no reason specified" should default to the safer/harsher situation, where all signatures made by that key are no longer considered, regardless of timestamp. hth, --dkg _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
