Web of Trust

Printable View

10-18-2008, 11:50 PM
unix

Web of Trust

I know the public part of an expired or revoked key can still be used to
verify an old signature on a message or file. What about verifying
another key that was signed before the expiration or revocation?

Betty signs George's key and marks it as trusted. George signs Susan's
key. Betty then adds Susan's key to her keyring and finds that Susan's
key is already at least partially valid.

Change the scenario slightly: Before Betty gets Susan's key, George's
key expires. Betty leaves the expired key on her keyring. What is the
status of Susan's key when added to Betty's keyring? Is the result any
different if George revokes his key instead of it expiring?

--

David E. Ross
<http://www.rossde.com/>

Q: What's a President Bush ****tail?
A: Business on the rocks.
10-19-2008, 12:54 AM
unix

Re: Web of Trust

On Sat, 18 Oct 2008 19:50:27 -0400, David E. Ross <nobody@nowhere.not> wrote:
[color=blue]
> Change the scenario slightly: Before Betty gets Susan's key, George's
> key expires. Betty leaves the expired key on her keyring. What is the
> status of Susan's key when added to Betty's keyring? Is the result any
> different if George revokes his key instead of it expiring?[/color]

Don't know about pgp, but looking at gnupg-2.0.9/g10/trustdb.c, in the
function mark_usable_uid_certs, it does not use expired or revoked keys,
so the result is, as if the signature did not exist.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
10-19-2008, 02:29 AM
unix

Re: Web of Trust

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"David E. Ross" <nobody@nowhere.not> writes:
[color=blue]
>Change the scenario slightly: Before Betty gets Susan's key, George's
>key expires. Betty leaves the expired key on her keyring. What is the
>status of Susan's key when added to Betty's keyring? Is the result any
>different if George revokes his key instead of it expiring?[/color]

My gnupg experience is consistent with what Dave Hodgins posted. I'm
also not sure about what the pgp software does.

It is probably best for the software to play it safe. We can always
override the software by signing a key ourselves after manually
checking signatures.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkj6m+sACgkQvmGe70vHPUNWdgCeLX13wpxY9RhyzanrbscQxlOl
t9QAoOV2OfSbLmlFLqeJ2KDBWn1M0Ive
=6vyZ
-----END PGP SIGNATURE-----
10-19-2008, 03:09 AM
unix

Re: Web of Trust

On Sat, 18 Oct 2008 22:29:19 -0400, Neil W Rickert <rickert+nn@cs.niu.edu> wrote:
[color=blue]
> My gnupg experience is consistent with what Dave Hodgins posted. I'm
> also not sure about what the pgp software does.[/color]

I just checked PGP800-S-W-Inner.zip (the latest pgp version I've downloaded
the source for).
In kate libs2/pgpsdk/priv/crypto/keys/pgpTrustProp.c, function sFindPathsUserID,
it also ignores signatures where the signing key has expired, or been revoked.

I doubt that would have changed in newer versions.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)