Subkey revocation signature

Thomas Oberndörfer info at mailvelope.com
Tue Feb 4 17:21:03 CET 2014


Ok, that explains it. Thanks for pointing to errata and discussion.

Thomas

On Tue, Feb 4, 2014 at 4:32 PM, David Shaw <dshaw at jabberwocky.com> wrote:
> On Feb 4, 2014, at 6:53 AM, Thomas Oberndörfer <info at mailvelope.com> wrote:
>
>> Hello,
>>
>> I'm trying to verify subkey revocation signatures created with GPG.
>>
>> RFC4880 says:
>> "Key revocation signatures (types 0x20 and 0x28) hash only the key
>> being revoked"
>> http://tools.ietf.org/html/rfc4880#section-5.2.4
>>
>> But when I compute the hash data only with the subkey packet the
>> verification fails.
>>
>> I then tried to hash primary and subkey packet together and the
>> verification succeeded.
>>
>> So it looks like GPG is calculating subkey revocation signature
>> (type 0x28) in the same way as the binding signature (type 0x18).
>>
>> Is this correct? And if yes is this not a deviation from RFC4880?
>> I'm currently implementing this verification in OpenPGP.js and
>> not sure how to handle this case.
>
> This is correct - a subkey revocation hashes both the primary and subkeys, similar to a binding signature.  The language in 4880 was in error, and an errata was filed for it: http://www.rfc-editor.org/errata_search.php?rfc=4880&eid=3298
>
> David
>



More information about the Gnupg-devel mailing list