On Thu, Jan 19, 2017 at 11:44 PM, Razer <g...@riseup.net> wrote:
> gpg: Signature made Mon 15 Aug 2016 10:01:19 PM PDT using RSA key ID
> 139A768E
> Primary key fingerprint: 4E07 9126 8F7C 67EA BE88  F1B0 3043 E2B7 139A 768E

> The canary hasn't been updated but the gpg output still shows a good sig

> They could still kill the canary be revoking the key, and they haven't done
> that.

A canary that has not met its own terms of service is a dead canary.
If the terms were defective, cause of death might be found as some
specific like from being tossed overboard in muddy waters with
concrete shoes on, regardless still quite dead.

The sig will always bitwise validate, though what level of value
to place in any sig expiry parameter is up to user. In canary it should
be treated as a bound on validity. Though most seem to make their
validity period statement in the content they're signing over.

As to key revocation, a reup selfsig to that key landed on 2016-10-21,
with five hopefully thoughtful and careful wot sigs over it since then.
With four of them occurring on or after the content expiry date.

Other keys possibly belonging to riseup have not reupped or revoked,
nor may necessarily be known to public wot, such as this on sks
pub  4096R/D6F6C5B4 2010-11-11 archive collective@


The bird is well beyond it's update schedule, therefore it's dead.
Remains to be seen whether there will be an updated canary,
silence, or free speech / destruction possibly including potential
martrydom in the brig.

Reply via email to