Betty signs George's key and marks it as trusted. George signs Susan's
key. Betty then adds Susan's key to her keyring and finds that Susan's
key is already at least partially valid.
Change the scenario slightly: Before Betty gets Susan's key, George's
key expires. Betty leaves the expired key on her keyring. What is the
status of Susan's key when added to Betty's keyring? Is the result any
different if George revokes his key instead of it expiring?
--
David E. Ross
<http://www.rossde.com/>
Q: What's a President Bush cocktail?
A: Business on the rocks.
> Change the scenario slightly: Before Betty gets Susan's key, George's
> key expires. Betty leaves the expired key on her keyring. What is the
> status of Susan's key when added to Betty's keyring? Is the result any
> different if George revokes his key instead of it expiring?
Don't know about pgp, but looking at gnupg-2.0.9/g10/trustdb.c, in the
function mark_usable_uid_certs, it does not use expired or revoked keys,
so the result is, as if the signature did not exist.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
"David E. Ross" <nob...@nowhere.not> writes:
>Change the scenario slightly: Before Betty gets Susan's key, George's
>key expires. Betty leaves the expired key on her keyring. What is the
>status of Susan's key when added to Betty's keyring? Is the result any
>different if George revokes his key instead of it expiring?
My gnupg experience is consistent with what Dave Hodgins posted. I'm
also not sure about what the pgp software does.
It is probably best for the software to play it safe. We can always
override the software by signing a key ourselves after manually
checking signatures.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkj6m+sACgkQvmGe70vHPUNWdgCeLX13wpxY9RhyzanrbscQxlOl
t9QAoOV2OfSbLmlFLqeJ2KDBWn1M0Ive
=6vyZ
-----END PGP SIGNATURE-----
> My gnupg experience is consistent with what Dave Hodgins posted. I'm
> also not sure about what the pgp software does.
I just checked PGP800-S-W-Inner.zip (the latest pgp version I've downloaded
the source for).
In kate libs2/pgpsdk/priv/crypto/keys/pgpTrustProp.c, function sFindPathsUserID,
it also ignores signatures where the signing key has expired, or been revoked.
I doubt that would have changed in newer versions.