mirror of
https://codeberg.org/openpgp/notes.git
synced 2024-11-27 01:52:06 +01:00
edit ch8 soft and hard revocations
This commit is contained in:
parent
f795da774d
commit
a8b17f8fe4
1 changed files with 5 additions and 7 deletions
|
@ -188,17 +188,15 @@ Revocations are used to mark components or signatures as invalid.
|
||||||
|
|
||||||
Note: certification signatures [can be made irrevocable](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-revocable).
|
Note: certification signatures [can be made irrevocable](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-revocable).
|
||||||
|
|
||||||
#### Hard vs. soft revocations
|
#### Hard vs soft revocations
|
||||||
|
|
||||||
A revocation signature can contain a subpacket indicating the [*reason for revocation*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-reason-for-revocation). The value of this subpacket contains a code that specifies why the revocation was issued. This code determines whether the revocation is considered a *soft revocation* or a *hard revocation*:
|
Revocation signatures often include a [*reason for revocation*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-reason-for-revocation) subpacket, with a code specifying why the revocation was issued. This code determines whether the revocation is considered *soft* or *hard*.
|
||||||
|
|
||||||
- A *soft revocation* is typically used for graceful or planned invalidation. Soft revocation of a component invalidates it from the revocation signature's creation time onwards. Uses of the component before the revocation time remain intact. Soft revocations can be reverted by re-validating the invalidated component with a new self-signature.
|
- **Soft revocation**: This is typically used for graceful or planned invalidation of components, such as retiring or updating components. It invalidates the component from the revocation signature's creation time, but earlier uses remain valid. Soft revocations can be reversed with a new self-signature.
|
||||||
- A *hard revocation*, by contrast, invalidates the component retroactively, rendering all past and future uses invalid. Hard revocation of a component cannot be undone by re-validating the component.
|
- **Hard revocation**: This irrevocably invalidates the component, affecting all past and future uses. It is typically used to signal compromise of secret key material.
|
||||||
|
|
||||||
Soft revocations are typically used when a certificate, subkey or User ID is retired or superseded gracefully, while hard revocations are typically used to signal compromise of secret key material.
|
|
||||||
|
|
||||||
```{note}
|
```{note}
|
||||||
A revocation signature that has no *reason for revocation* subpacket is interpreted as a hard revocation.
|
A revocation signature lacking a *reason for revocation* subpacket is interpreted as a hard revocation.
|
||||||
```
|
```
|
||||||
|
|
||||||
(third_party_cert)=
|
(third_party_cert)=
|
||||||
|
|
Loading…
Reference in a new issue