Web of Trust - PGP

This is a discussion on Web of Trust - PGP ; I know the public part of an expired or revoked key can still be used to verify an old signature on a message or file. What about verifying another key that was signed before the expiration or revocation? Betty signs ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Web of Trust

  1. Web of Trust

    I know the public part of an expired or revoked key can still be used to
    verify an old signature on a message or file. What about verifying
    another key that was signed before the expiration or revocation?

    Betty signs George's key and marks it as trusted. George signs Susan's
    key. Betty then adds Susan's key to her keyring and finds that Susan's
    key is already at least partially valid.

    Change the scenario slightly: Before Betty gets Susan's key, George's
    key expires. Betty leaves the expired key on her keyring. What is the
    status of Susan's key when added to Betty's keyring? Is the result any
    different if George revokes his key instead of it expiring?

    --

    David E. Ross


    Q: What's a President Bush ****tail?
    A: Business on the rocks.

  2. Re: Web of Trust

    On Sat, 18 Oct 2008 19:50:27 -0400, David E. Ross wrote:

    > Change the scenario slightly: Before Betty gets Susan's key, George's
    > key expires. Betty leaves the expired key on her keyring. What is the
    > status of Susan's key when added to Betty's keyring? Is the result any
    > different if George revokes his key instead of it expiring?


    Don't know about pgp, but looking at gnupg-2.0.9/g10/trustdb.c, in the
    function mark_usable_uid_certs, it does not use expired or revoked keys,
    so the result is, as if the signature did not exist.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

  3. Re: Web of Trust

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    "David E. Ross" writes:

    >Change the scenario slightly: Before Betty gets Susan's key, George's
    >key expires. Betty leaves the expired key on her keyring. What is the
    >status of Susan's key when added to Betty's keyring? Is the result any
    >different if George revokes his key instead of it expiring?


    My gnupg experience is consistent with what Dave Hodgins posted. I'm
    also not sure about what the pgp software does.

    It is probably best for the software to play it safe. We can always
    override the software by signing a key ourselves after manually
    checking signatures.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)

    iEYEARECAAYFAkj6m+sACgkQvmGe70vHPUNWdgCeLX13wpxY9R hyzanrbscQxlOl
    t9QAoOV2OfSbLmlFLqeJ2KDBWn1M0Ive
    =6vyZ
    -----END PGP SIGNATURE-----


  4. Re: Web of Trust

    On Sat, 18 Oct 2008 22:29:19 -0400, Neil W Rickert wrote:

    > My gnupg experience is consistent with what Dave Hodgins posted. I'm
    > also not sure about what the pgp software does.


    I just checked PGP800-S-W-Inner.zip (the latest pgp version I've downloaded
    the source for).
    In kate libs2/pgpsdk/priv/crypto/keys/pgpTrustProp.c, function sFindPathsUserID,
    it also ignores signatures where the signing key has expired, or been revoked.

    I doubt that would have changed in newer versions.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

+ Reply to Thread