Re: HKPS issue with static build of gnupg 2.0.26: checking whether curl is usable: no

2015-02-10 Thread isdtor
Not a gnupg problem. If the root cause for this behaviour is the failure to link against libcurl, it's either the openssl ebuild or openssl's own build system. I suspect the latter ... # equery u openssl [ Legend : U - final flag setting for installation] [: I - package is installed with f

Re: Revoked keys and past signatures

2015-02-10 Thread Hugo Osvaldo Barrera
On 2015-02-10 12:28, Peter Lebbing wrote: > On 09/02/15 20:34, Daniel Kahn Gillmor wrote: > > the *date* of your "key was superceded" revocation is relevant, > > though. Any certifications that claim to have happened after the date > > of the revocation *should* be considered invalid, whereas revoc

Re: Revoked keys and past signatures

2015-02-10 Thread Peter Lebbing
On 09/02/15 20:34, Daniel Kahn Gillmor wrote: > the *date* of your "key was superceded" revocation is relevant, > though. Any certifications that claim to have happened after the date > of the revocation *should* be considered invalid, whereas revocations > that happen before that date (but after t

Re: Revoked keys and past signatures

2015-02-10 Thread Kristian Fiskerstrand
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/10/2015 12:28 PM, Peter Lebbing wrote: > On 09/02/15 20:34, Daniel Kahn Gillmor wrote: >> the *date* of your "key was superceded" revocation is relevant, >> though. Any certifications that claim to have happened after the >> date of the revoca

Re: (bug?) Revoked keys and past signatures

2015-02-10 Thread Peter Lebbing
On 10/02/15 12:52, Kristian Fiskerstrand wrote: > No, the signature is still valid: > >> $ gpg2 --verify test.gpg gpg: Signature made Tue 10 Feb 2015 >> 11:53:47 CET using RSA key ID > B2F1C0D8 >> gpg: Good signature from "Testkey 3" [unknown] > ^^ > In my opinion, the signat

Re: (bug?) Revoked keys and past signatures

2015-02-10 Thread Peter Lebbing
On 10/02/15 13:24, Peter Lebbing wrote: > If you're convinced you're not mistaken, could you please take the time > to show me where this data signature from a revoked key is any different > than a signature from any random invalid key? Quick correction: If you're convinced you're not mistaken, c

Re: (bug?) Revoked keys and past signatures

2015-02-10 Thread Kristian Fiskerstrand
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/10/2015 01:24 PM, Peter Lebbing wrote: > On 10/02/15 12:52, Kristian Fiskerstrand wrote: >> No, the signature is still valid: >> > > Why? The key was revoked because it was superseded or has been > retired, not because it was stolen or com

Re: (bug?) Revoked keys and past signatures

2015-02-10 Thread Peter Lebbing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/02/15 13:30, Kristian Fiskerstrand wrote: > Unless you rely on a trusted third party to provide signature stamps, > signature dates can be forged. A key revocation should result in immediate > questioning of all aspects of the key, as it current

Re: (bug?) Revoked keys and past signatures

2015-02-10 Thread Hugo Osvaldo Barrera
On 2015-02-10 13:30, Kristian Fiskerstrand wrote: > On 02/10/2015 01:24 PM, Peter Lebbing wrote: > > On 10/02/15 12:52, Kristian Fiskerstrand wrote: > >> No, the signature is still valid: > >> > > > > > Why? The key was revoked because it was superseded or has been > > retired, not because it wa

Re: (bug?) Revoked keys and past signatures

2015-02-10 Thread Daniel Kahn Gillmor
On Tue 2015-02-10 08:37:38 -0500, Hugo Osvaldo Barrera wrote: > Also, I see no reason why I should not be able to assign a trust to a revoked > key - I might trust it even if the author revoked it as superseded: > > > $ gpg --edit 1BFBED44 > [... info on revoked key ...] > gpg> lsign > Key

moving up from 2.0.26 to 2.1.1

2015-02-10 Thread Philip Jackson
I've been a linux user for less than a year and the only configure/make/install I've done is for 2.0.26 and its dependencies (when I couldn't get the distro supplied package 2.0.22 to work). Now when I look at the dependencies for gnupg 2.1.1, I see that I need to upgrade libassuan to 2.2.0, libg

Re: (bug?) Revoked keys and past signatures

2015-02-10 Thread Hauke Laging
Am Di 10.02.2015, 13:01:17 schrieb Daniel Kahn Gillmor: > > I can even sit down with the owner of > > the key and verify his ID and fingerprint and sign it, meaning > > "this key belongs to this person, but was superseeded a week ago". > > If actually influences the validity of anything he signed

status of ed25519 draft

2015-02-10 Thread Brian Minton
Is there any way to see the progress of the IETF working group on the draft Werner has submitted? I noticed that the draft expires in May. In particular, I would like to know if 22 is going to be the IANA standardized Public-Key Algorithm number. signature.asc Description: OpenPGP digital

Re: (bug?) Revoked keys and past signatures

2015-02-10 Thread Ingo Klöcker
On Tuesday 10 February 2015 10:37:38 Hugo Osvaldo Barrera wrote: > On 2015-02-10 13:30, Kristian Fiskerstrand wrote: > > On 02/10/2015 01:24 PM, Peter Lebbing wrote: > > > On 10/02/15 12:52, Kristian Fiskerstrand wrote: > > >> No, the signature is still valid: > > > Why? The key was revoked because

Re: moving up from 2.0.26 to 2.1.1

2015-02-10 Thread Daniel Kahn Gillmor
On Tue 2015-02-10 14:09:59 -0500, Philip Jackson wrote: > I've been a linux user for less than a year and the only > configure/make/install > I've done is for 2.0.26 and its dependencies (when I couldn't get the distro > supplied package 2.0.22 to work). > > Now when I look at the dependencies for

Re: (bug?) Revoked keys and past signatures

2015-02-10 Thread Daniel Kahn Gillmor
On Tue 2015-02-10 13:20:03 -0500, Hauke Laging wrote: >> your certifications (whether local or exportable) themselves have a >> timestamp in them. It would be silly to certify a key and its user ID >> after it was revoked by the owner; you'd be claiming "i believe that >> right now this is the cor

Sign key with externalized master key

2015-02-10 Thread Xavier Maillard
Hello, May I ask how one would sign public keys when a "master key" is stored onto an USB stick ? I followed instructions from [1]. Now I am in the process of announcing my key transition to all old signers *but*, as a last test, I just tested public signature with my "master key" and this is whe