Check for revocation of the ADSK's original subkey
Open, HighPublic
Actions

Assigned To

None

Authored By

	• werner
	Mon, Nov 10, 11:06 AM

Description

We need to handle the case that the actual key used for the ADSK (the one with the private part) has been revoked. Thus when checking the subkeys for encryption we do not only need to check their own validity (key binding signature and revocations etc) but also check whether there is a copy of the original key and check that one for revocations.

Event Timeline

• werner created this task.Mon, Nov 10, 11:06 AM

• werner created this object in space Restricted Space.

• werner created this object with edit policy "Contributor (Project)".

• werner triaged this task as High priority.Fri, Nov 14, 11:03 AM

• werner shifted this object from the Restricted Space space to the S1 Public space.

With the next gpg release (2.5.14) the keyboxd has an extended fingerprint table which carries a flags column. A bit in this column can eventually be used to mark subkeys with the "R" key flag and the search funtion can be enhanced to ignore keys with that flag set. This way we can more easily lookup the actual ADSK key (with the "E" key flag) and check whether this subkey has been revoked.

Consider the case of, say, 1000 key from one's own domain in the keryring and each one has an ADSK. Parsing all those subkeys just to find the actual ADSK key would take a bit too long. Another options is to have a background job to check for revoked ADSKs.

Check for revocation of the ADSK's original subkey Open, HighPublicActions

Description

Event Timeline

Check for revocation of the ADSK's original subkey
Open, HighPublic
Actions