Re: Identifying revoked certificates
disastry@saiknes.lv Fri, 07 September 2001 08:27 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA04205 for <openpgp-archive@odin.ietf.org>; Fri, 7 Sep 2001 04:27:03 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f878BQH12874 for ietf-openpgp-bks; Fri, 7 Sep 2001 01:11:26 -0700 (PDT)
Received: from HACKSERV.saiknes.lv (hackserv.saiknes.lv [195.2.103.8]) by above.proper.com (8.11.6/8.11.3) with SMTP id f878BKD12861 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 01:11:22 -0700 (PDT)
Received: from saiknes.lv (unverified [127.0.0.1]) by 127.0.0.1 (EMWAC SMTPRS 0.83) with SMTP id <B0000084124@127.0.0.1>; Fri, 07 Sep 2001 09:01:01 +0200
Message-ID: <3B987EBD.27F70B44@saiknes.lv>
Date: Fri, 07 Sep 2001 10:01:01 +0200
From: disastry@saiknes.lv
Organization: .NO.SPaM.NET
X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U)
X-Accept-Language: en,lv,ru
MIME-Version: 1.0
To: ietf-openpgp@imc.org
Subject: Re: Identifying revoked certificates
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > On Thu, Sep 06, 2001 at 12:06:49PM -0700, Jon Callas wrote: > > Is it worth adding the timestamp from the original signature to help > > find it without having to look at the (larger) hashes? On a uid with > > many signatures, this could speed things up. Once found, of course, > > the hash could then be checked for confirmation. > > I don't mind having the timestamp there, but I don't feel a need for > it, either. While I feel a need for this subpacket, at the same time, > I expect this situation to be rare, and there are other ways to > control the cost: > > Note that this disambiguation is necessary only for signatures within > the same context (key, key/user, key/subkey) and made by the *same > creator*. do not forget that sigs can be revoked not only by the *same creator*, but also by *designated revoker*. (AFAIK currently no PGP implementation supports designated revokers for userid signatures, but it is allowed in 5.2.1. 0x30) btw currently there is not possible to know what is revoked by designated revoker - keys self signature or revokers signature if there is one. for example: key A have signed by A (self sig) and B, in self sig B is specified as designated revoker. now if B revokes his signature, but currently it looks exactly like he have revoked A's self signature. > Although the current packet ordering rules don't address certificate > revocation, I'd suggest that a prudent ordering would put each after > its target. 11.1. says that key and subkey revocation is *before* signatures. why make it different for userid revocation? == <EOF> == Disastry http://i.am/disastry/ -----BEGIN PGP SIGNATURE----- Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1 iQA/AwUBO5hiZjBaTVEuJQxkEQM2ywCcDUR8Ru7Zj12mHGGyZH7Kcdi8XqUAmwVx SyqrvY8wYoDZOyiyFItJ+RZT =2jSN -----END PGP SIGNATURE-----
- Re: Identifying revoked certificates disastry
- Re: Identifying revoked certificates Michael Young