On 05/11/2018 17:56, Gert Doering wrote: > On Mon, Nov 05, 2018 at 04:12:10PM +0100, Edward Shryane via db-wg wrote: >> Is it enough to update or delete a revoked key? Should the RIPE database >> process key revocation certificates? > > One of the problems here is that the RIPE DB cannot reliably know if > a GPG key is revoked, unless it is *told*. > > "Telling it" can be done nicely by removing the key-cert object - otherwiese > it would need to poll key-servers and hope for a key revocation to appear > there.
I suggest just removing the key-cert object. Instead of updating the key-cert object with a revoked version. > A catch-22 arises if the key-cert object needs a signed update with that > very key to be deleted... I would not use this approach of requiring a signed update to remove the key. If an authenticated SSO account is signed into the RIPE NCC website and tries to remove a key-cert object the DB. This should be allowed. -- Christoffer Hansen
signature.asc
Description: OpenPGP digital signature
