On Wed, Sep 23, 2009 at 4:20 AM, Werner Koch <[email protected]> wrote: > On Tue, 22 Sep 2009 17:50, [email protected] said: > >> Thanks for the response. So EXPKEYSIG doesn't mean the key was expired >> when the signature was made, right? If that shows up along with > > It means that the key has expired by now. > >> VALIDSIG, it's ok to trust the signature, correct? What about > > That is up to you. Usually you would show a message stating that the > key used to create the message meanwhile expired. Whether you take the > signature creation date into account and show a different message is up > to you. If a signer wants to use an expired key for signing he may as > well change the signature creation time. > >> REVKEYSIG? If a key is revoked, is there an easy way to know if the >> signature was made prior to revocation, or would it be necessary to >> just compare the stamps on the signature and the revocation? > > There is no way becuase you don't know why the key was revoked. Sure > the revocation signature allows to give a reason of revocation and you > can take that in account, but if the key was compromised an attacker may > also create a revocation with a different reasons (e.g. key superseded). > You can't tell who did the revocation. > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. > >
Great, thanks for the help, Werner. By the way, are there any python or PHP bindings for GPGME? -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
