[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sks-devel] keyserver verification of revocation certificates (gpg --key
From: |
Daniel Kahn Gillmor |
Subject: |
[Sks-devel] keyserver verification of revocation certificates (gpg --keyserver-options include-revoked) |
Date: |
Fri, 24 Apr 2009 19:25:01 -0400 |
User-agent: |
Mozilla-Thunderbird 2.0.0.19 (X11/20090103) |
I was just reading gpg(1) and i noticed this section within
--keyserver-options:
> include-revoked
> When searching for a key with --search-keys, include keys
> that are marked on the keyserver as revoked. Note that
> not all keyservers differentiate between revoked and
> unrevoked keys, and for such keyservers this option is
> meaningless. Note also that most keyservers do not have
> cryptographic verification of key revocations, and so
> turning this option off may result in skipping keys that
> are incorrectly marked as revoked.
I'm particularly curious about the last sentence, as it suggests that a
basic cryptographic check ("was this revocation certificate produced by
that key?") is not present in most keyservers.
Is this true of SKS? I haven't tested posting a falsified revocation
certificate yet (which i should probably test anyway), but i was curious
what the folks who know the code better than i do expect to happen were
such a certificate uploaded to an SKS keyserver.
Any thoughts? Or is this note in gpg(1) out of date?
--dkg
signature.asc
Description: OpenPGP digital signature
- [Sks-devel] keyserver verification of revocation certificates (gpg --keyserver-options include-revoked),
Daniel Kahn Gillmor <=