TechQA.

Issues with gpg revocation design

69 views Asked by At

I am making my own gpg server (based on the MIT one). I noticed something weird in the GPG chain of trust.

  1. I create my VeryTrustedKey. I push it to my gpg server. In my code, I force all users to have full trust for this key. It will be the trusted introducer for all users.
  2. A user User1 upload his key key1 to my server. It is signed by VeryTrustedKey on day 1 of the upload.
  3. On day 2, a user User2 import this key1 key. Because User2 has a trust full on VeryTrustedKey he also has a trust full on key1.
  4. On day 3, User1 loses his private key. VeryTrustedKey revoke the signature it has with key1.

The issue is that on day 4, User2 still fully trust key1, even after refreshing from the server (A refresh by command line using gpg --recv-key KEYID then gpg --refresh-keys) Is that normal ? How can I make it that trust will go away on a trust introducer revokation.

gnupg private-key public-key trust
Original Q&A
0

There are 0 answers

Related Questions in GNUPG

Related Questions in PRIVATE-KEY

Related Questions in PUBLIC-KEY

Related Questions in TRUST

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions