Importing a key that has been revoked by a designated revoker

David Shaw dshaw at jabberwocky.com
Thu Dec 21 22:17:57 CET 2006


On Thu, Dec 21, 2006 at 04:56:54PM +0000, Dave Evans wrote:
> If you import a key that has been revoked by a 
> designated revoker, it seems that it does not show
> as revoked unless the public key of the designated 
> revoker is also on the keyring.  I don't know if
> this is a bug or a feature.

This is neither a bug or a feature, but a natural result in how
designated revokers work.  Designated revokers do their job by issuing
a signature onto the key they want to revoke.  Naturally, if the
designated revoker's key isn't on the keyring, we have no way to
verify the signature.  If we can't verify the signature, we can't know
if it's real or a forgery.

Keys in this state are treated specially: neither revoked or not
revoked, but with a question attached.  If you verify a signature from
such a key, you'll see:

  gpg: WARNING: this key might be revoked (revocation key not present)

It might be a good idea to display a similar warning on encryption to
such a key, but we don't do that right now.

David



More information about the Gnupg-users mailing list