RudeusGreyrat
Reputation: 121
Issues with gpg revocation design
I am making my own gpg server (based on the MIT one). I noticed something weird in the GPG chain of trust.
- I create my
VeryTrustedKey. I push it to my gpg server. In my code, I force all users to havefulltrust for this key. It will be thetrusted introducerfor all users. - A user
User1upload his keykey1to my server. It is signed byVeryTrustedKeyon day 1 of the upload. - On day 2, a user
User2import thiskey1key. BecauseUser2has a trustfullonVeryTrustedKeyhe also has a trustfullonkey1. - On day 3,
User1loses his private key.VeryTrustedKeyrevoke the signature it has withkey1.
The issue is that on day 4, User2 still fully trust key1, even after refreshing from the server (A refresh by command line using gpg --recv-key KEYID then gpg --refresh-keys)
Is that normal ? How can I make it that trust will go away on a trust introducer revokation.
Upvotes: 0
Views: 66
Answers (0)
Related Questions
- How to Export Private / Secret ASC Key to Decrypt GPG Files
- Git error - gpg failed to sign data
- Is there a way to "autosign" commits in Git with a GPG key?
- Handling secret OpenPGP keys for unit testing
- How to display gpg key details without importing it?
- GPG vs SSH keys
- Trusted GPG certificate
- Official Python GPG Signing Key - Where is it? - gpg: using RSA key FC624643487034E5
- Revocation Certificate GPG