From 7bbc2f2434fe22de75dba8b8b60c572508e6ade2 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 3 Oct 2023 14:41:33 +0200 Subject: [PATCH] Revocation --- book/source/06-certifications.md | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/book/source/06-certifications.md b/book/source/06-certifications.md index b8b9ae4..c3dcb06 100644 --- a/book/source/06-certifications.md +++ b/book/source/06-certifications.md @@ -113,6 +113,8 @@ A revocation is used to retract the statement formed by a prior signature. A subkey revocation signature revokes a prior subkey binding signature, while a certification revocation revokes a certification signature. Typical use-cases for revocations are marking certificates or individual subkeys as unusable, or marking User IDs as no longer used. +A revocation signature can either be hard or soft. A soft revocation of a certificate invalidates it from the revocation signature's creation time onwards, meaning signatures that were issued before the revocation remain intact, while a hard revocation invalidates the certificate retroactively, rendering all issued signatures invalid, regardless of creation time. Soft revocations are typically used whenever a key or User ID is retired or superseded gracefully, while hard revocations can for example signal compromise of secret key material. + ## Signature Subpackets A cryptographic signature alone is often not expressive enough to serve certain use-cases. @@ -174,6 +176,42 @@ The signature should have the following structure: Self-certifications over User IDs can optionally carry the same subpackets as listed in the previous table (key flags, features, algorithm preferences). This way, separate capabilities can be assigned to different identities. +#### Remove / Revoke User ID +Since OpenPGP certificates are often distributed by the means of key servers, new signatures on a certificate are often "merged" into existing copies of the certificate locally by the recipient. +This means, that it is not really possible to remove signatures / User IDs from a certificate, as there is no way to communicate the intention of packet deletion to the recipient. + +So in order to mark a User ID as invalid, the user can publish a copy of their certificate with a `CertificationRevocation` (signature type 0x30) attached to the invalidated User ID. +This signature signals that the holder of the certificate no longer wants to be associated with that User ID. + +The structure of a certification revocation is as follows: + +| Subpacket | Area | Critical | Mandatory | Notes | +|-----------|------|----------|-----------|-------| +| Signature Creation Time | Hashed | True | True | Current time | +| Issuer Fingerprint | Hashed | True or false | Strongly Recommended | The primary key is the issuer | +| Reason for Revocation | Hashed | True | False | Decides over soft / hard revocation | + +For User ID revocations, the value of the reason subpacket can either be `0` (no reason specified) or `32`, signaling that the User ID is no longer valid. +The latter would result in a soft revocation, while a reason code of `0` is considered a hard revocation. +Omitting the reason packet altogether is also equivalent to a hard revocation. +It is recommended to issue User ID certifications using a reason code `32` and to do certificate revocations using a direct-key signature. + +#### Revoke a Certificate +A user might want to revoke their whole certificate, rendering it unusable. +Depending on the circumstances, they might either want to revoke it softly, e.g. in case of migration to a new certificate, or they want to issue a hard revocation, e.g. in case of secret key material compromise. A soft-revoked certificate can be re-validated at a later point in time, by issuing a new certification, while a hard revocation is typically permanent. + +The recommended way to revoke a certificate is by issuing a key revocation signature (type 0x20). +The structure of a key revocation signature is similar to that of a `CertificationRevocation` signature. + +| Subpacket | Area | Critical | Mandatory | Notes | +|-----------|------|----------|-----------|-------| +| Signature Creation Time | Hashed | True | True | Current time | +| Issuer Fingerprint | Hashed | True or false | Strongly Recommended | The primary key is the issuer | +| Reason for Revocation | Hashed | True | False | Decides over soft / hard revocation | + +One difference is, that the reason subpacket cannot have value `32`, but instead may be from the range of `0-3`. +Values `1` (key superseded) and `3` (key retired and no longer used) are soft reasons, while `0` (no reason) and `2` (key compromised) are considered hard. + #### Common Subpackets There are some subpackets that are expected to be included in any type of signature.