Revoke signature from key

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Mar 21 21:18:09 CET 2011


On 03/21/2011 04:05 PM, David Shaw wrote:
> While the common usage for regular users is to sign based on checking identity, signatures can be just as well used as a token to indicate membership.   For example, the PGP product has the concept of a "Corporate Signing Key", which is used to sign employee keys to indicate they are genuine (and their keyserver can actually enforce this).  They are not signing to say that Alice is Alice, they are signing to say that Alice is Alice, and works for Company X (i.e. they would not sign Alice's personal key).
> 
> If I was going to do this with a group, like above, I'd probably make a special Group Signing Key to issue the membership signatures to avoid confusing my personal signatures with the group membership ones, though.

If i was going to try to indicate more than a simple identity binding
with an OpenPGP signature, i'd define an OpenPGP notation [0] and
include the relevant subpacket in my signature.

This way, the same signing key is capable of making identity
certifications *and* identity+metadata certifications.

For example, to indicate that the holder of $keyid will be employed by
the technical support department of Example Corp for the next year:

 gpg --sign-key --cert-notation 'department at example.com=tech-support' \
    --default-cert-expire 1y "$keyid"

(and proceed with the usual identity checks as well)

	--dkg

[0] https://tools.ietf.org/html/rfc4880#section-5.2.3.16

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110321/ba0afd99/attachment.pgp>


More information about the Gnupg-users mailing list