4

If a signature was made before the key was revoked will it still be considered as valid after revocation? Assuming that the key was revoked as superseded, the answer is obvious if the key was compromised.

In particular I'm interested in the answer to this question in relation to a master OpenPGP key migration and signing the new key with the old one. Does it make sense to wait before revoking the old key after the new one (and the signature) was published?

I found this question which is similar to mine but it does not concern GPG and web of trust specifically but digital signatures in general.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
raindev
  • 233
  • 1
  • 11

1 Answers1

3

The short version: there is no way to differentiate between signatures issued before and after revoking a key. Faked system times and how attackers could exploit them provide a rather obvious explanation for this.

The slightly longer version with interactive exploration: RFC 4880, OpenPGP does not specify any rules on how to handle signatures issued by revoked keys -- apart from the sentence "A revoked key is not to be used". The behavior in this case is implementation dependent. The most common implementation is probably GnuPG, so let's try how GnuPG acts. Consider following situation:

  • created keypair A in home directory A
  • signed a test document with this key
  • exported public key A
  • imported public key A into home directory B
  • created keypair B in home directory B
  • signed public key A with private key B

We now have a non-revoked key A, a document signed by this key, and this key A is certified by some other party B (and thus the key and its signatures validate successfully).

Now, what happens if we revoke key A (after signing the document)?

gpg: Signature made Wed Nov  1 15:39:35 2017 CET
gpg:                using RSA key 658787F11DEFDEE1DA206171C2F6C4CC6B298CA6
gpg: Good signature from "A" [full]
gpg: WARNING: This key has been revoked by its owner!
gpg:          This could mean that the signature is forged.
gpg: reason for revocation: Key is superseded

What happens if create another signature after revoking A (I took a copy GnuPG home directory A before revoking the key), so B tries to verify a signature issued by an already-revoked key?

gpg: Signature made Wed Nov  3 15:42:31 2017 CET
gpg:                using RSA key 658787F11DEFDEE1DA206171C2F6C4CC6B298CA6
gpg: Good signature from "A" [full]
gpg: WARNING: This key has been revoked by its owner!
gpg:          This could mean that the signature is forged.
gpg: reason for revocation: Key is superseded

With other words: you cannot discriminate between a signature issued before the revocation and one issued after. And this is a reasonable solution: as no third-party timestamping was involved after all, you cannot be sure about the signature's timestamp anyway. In fact, I also faked the system time when issuing the second signature. "Does OpenPGP key expiration add to security?" provides a similar discussion.

Waiting some time might be useful, anyway: for example if you provide a key transition statement, waiting for some time after issuing this (and notifying your peers about it) before revoking the old key might be reasonable. By doing so, people still see the non-revoked old key and can sign your new key, if their signing policy allows this.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96