Password reset

David Shaw dshaw@jabberwocky.com
Tue Aug 21 16:29:01 2001


On Tue, Aug 21, 2001 at 03:55:09PM +0200, Florian Weimer wrote:

> David Shaw <dshaw@jabberwocky.com> writes:
>
> > OpenPGP puts the onus of deciding whether to use or trust a key on the
> > local user's side.
>
> The OpenPGP RFC doesn't say nothing about these issues, so it's not
> clear that the local user has control, the OpenPGP he uses might well
> make the decisions for him.
Oh, yes, the implementation may make decisions, but the local user always has control. A revocation certificate is really just a signature. If I remove it (gpg --edit-key can do this easily), then my local copy of the key is not revoked any longer. An expiration date is just a time_t. If I set my clock back to before that time, the key isn't expired any longer. The user always has control. There is a convention between implementations that they won't use a key that has a "revoked" certificate attached, but what I was saying was that there is nothing in the cryptography that prevents this. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson