Re: Identifying revoked certificates
"Michael Young" <mwy-opgp97@the-youngs.org> Fri, 07 September 2001 22:21 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA00152 for <openpgp-archive@odin.ietf.org>; Fri, 7 Sep 2001 18:21:18 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id f87M8di23426 for ietf-openpgp-bks; Fri, 7 Sep 2001 15:08:39 -0700 (PDT)
Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f87M8bD23422 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 15:08:37 -0700 (PDT)
Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id SAA15520 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 18:00:43 -0400 (EDT)
Received: from mwyoung (dhcp-194-28.transarc.ibm.com [9.38.194.228]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id SAA09339 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 18:08:33 -0400 (EDT)
Message-ID: <00ae01c137e9$24037ac0$c23fa8c0@transarc.ibm.com>
From: Michael Young <mwy-opgp97@the-youngs.org>
To: ietf-openpgp@imc.org
References: <3B987EBD.27F70B44@saiknes.lv>
Subject: Re: Identifying revoked certificates
Date: Fri, 07 Sep 2001 18:05:01 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE----- <disastry@saiknes.lv> wrote: > do not forget that sigs can be revoked not only by the *same creator*, > but also by *designated revoker*. > (AFAIK currently no PGP implementation supports designated revokers for > userid signatures, but it is allowed in 5.2.1. 0x30) I couldn't believe this, so I had to reread the spec, and indeed that's what it says. Is it really intended that a designated revoker should be able to revoke other *certifications* (not just the key)? [Arguably, a revoker subpacket in a certification would permit that. We're talking about a revoker subpacket in the key self-signature here.] Indeed, PGP6.5 does not support this. It provides no way to generate one, and even if it receives such a certificate revocation, it applies only to the issuer (not keys for which it is designated). [In fact, it isn't applied to subsequent signatures by the issuer, suggesting that either: it is caching the validity computation (but asking for reverification doesn't help), or it is applying a "most recent prevails" rule.] > btw currently there is not possible to know what is > revoked by designated revoker - keys self signature or ... Indeed, this is why this is a bad idea. I feel strongly that a "designated revoker" subpacket should apply to only that certificate. Usually that's a key-only self-signature, and a revocation on that would affect *any* other signatures made by that key. > 11.1. says that key and subkey revocation is *before* signatures. > why make it different for userid revocation? Fair point... "immediately preceding" would be more consistent. But I am willing to give up on this. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO5lEgmNDnIII+QUHAQFXbQf+Ktb06chrGiXgI3c7djOQWeNcd8Hw9D5B qWGwHllrc03k8kaR3onkm1t6HYhLZqSbSLBspJWcNwBxHl+nmb8uIWSnOlBqukjO ZpMrs4eZGt7sRTFGMiYu/F+O8EezlOleOpVzGzjqJdGMC/tgenB0Avp0c6ZLYF3A 7o3WjkQ9bTmnBe+PXIehtFROVyKyYpyrQrVk9jdmiM0fhUhzekQ1w0wJGyTmppeh EX5BOKSkLcRYq6pKJtvlIVbT8liVWfJh9MWBaQBWBs4YJj/3DmoDcZzLqh0Dbsha /ijzKO9tzPsfM8phAH5NRL2yTjUN4a9fXdhG1JnZOxMYN+Upt/fD+g== =NFrt -----END PGP SIGNATURE-----
- Re: Identifying revoked certificates disastry
- Re: Identifying revoked certificates Michael Young