On Tue 2015-02-10 18:24:19 -0500, Daniel Kahn Gillmor wrote:
> It sounds to me like you're asking for the standard to separate out
> "signature creation time" from "signature validity start time".
>
> This is an interesting proposal, and i can see why it would make sense
> for this scenario.
>
> I
On Tue 2015-02-10 13:20:03 -0500, Hauke Laging wrote:
>> your certifications (whether local or exportable) themselves have a
>> timestamp in them. It would be silly to certify a key and its user ID
>> after it was revoked by the owner; you'd be claiming "i believe that
>> right now this is the cor
On Tuesday 10 February 2015 10:37:38 Hugo Osvaldo Barrera wrote:
> On 2015-02-10 13:30, Kristian Fiskerstrand wrote:
> > On 02/10/2015 01:24 PM, Peter Lebbing wrote:
> > > On 10/02/15 12:52, Kristian Fiskerstrand wrote:
> > >> No, the signature is still valid:
> > > Why? The key was revoked because
Am Di 10.02.2015, 13:01:17 schrieb Daniel Kahn Gillmor:
> > I can even sit down with the owner of
> > the key and verify his ID and fingerprint and sign it, meaning
> > "this key belongs to this person, but was superseeded a week ago".
> > If actually influences the validity of anything he signed
On Tue 2015-02-10 08:37:38 -0500, Hugo Osvaldo Barrera wrote:
> Also, I see no reason why I should not be able to assign a trust to a revoked
> key - I might trust it even if the author revoked it as superseded:
>
>
> $ gpg --edit 1BFBED44
> [... info on revoked key ...]
> gpg> lsign
> Key
On 2015-02-10 13:30, Kristian Fiskerstrand wrote:
> On 02/10/2015 01:24 PM, Peter Lebbing wrote:
> > On 10/02/15 12:52, Kristian Fiskerstrand wrote:
> >> No, the signature is still valid:
> >>
>
> >
> > Why? The key was revoked because it was superseded or has been
> > retired, not because it wa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/02/15 13:30, Kristian Fiskerstrand wrote:
> Unless you rely on a trusted third party to provide signature stamps,
> signature dates can be forged. A key revocation should result in immediate
> questioning of all aspects of the key, as it current
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 02/10/2015 01:24 PM, Peter Lebbing wrote:
> On 10/02/15 12:52, Kristian Fiskerstrand wrote:
>> No, the signature is still valid:
>>
>
> Why? The key was revoked because it was superseded or has been
> retired, not because it was stolen or com
On 10/02/15 13:24, Peter Lebbing wrote:
> If you're convinced you're not mistaken, could you please take the time
> to show me where this data signature from a revoked key is any different
> than a signature from any random invalid key?
Quick correction:
If you're convinced you're not mistaken, c
On 10/02/15 12:52, Kristian Fiskerstrand wrote:
> No, the signature is still valid:
>
>> $ gpg2 --verify test.gpg gpg: Signature made Tue 10 Feb 2015
>> 11:53:47 CET using RSA key ID
> B2F1C0D8
>> gpg: Good signature from "Testkey 3" [unknown]
> ^^
>
In my opinion, the signat
10 matches
Mail list logo
