gpg --check-sigs produces information about whether a certification was revoked, but not whether the certification was made by a key which itself was revoked.
This seems troublesome to me.
Consider this scenario:
Alice has key A, and Bob has key B.
Alice's key gets compromised by Mallory.
Alice notices the compromise, and revokes her key, indicating that it
was compromised.
Mallory makes a new key, M, attaches Bob's user ID to it, and makes a
certification over (Bob,M) with key A.
Charles knows Alice, and wants to communicate with Bob. He fetches key
M, and runs "gpg --check-sigs Bob", which shows Alice's signature.
The output of --check-sigs shows no warning that A has been revoked
(marked compromised).
Maybe gpg should emit the same "X" that it currently emits for revoked
certifications as it does for certifications made from revoked (or at
least revoked-due-to-compromise) keys?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
