On 01/20/2017 12:40 PM, grarpamp wrote:
On Thu, Jan 19, 2017 at 11:44 PM, Razer <g2s@riseup.net> wrote:
gpg: Signature made Mon 15 Aug 2016 10:01:19 PM PDT using RSA key ID
139A768E
Primary key fingerprint: 4E07 9126 8F7C 67EA BE88  F1B0 3043 E2B7 139A 768E

      
The canary hasn't been updated but the gpg output still shows a good sig

      
They could still kill the canary be revoking the key, and they haven't done
that.
A canary that has not met its own terms of service is a dead canary.
If the terms were defective, cause of death might be found as some
specific like from being tossed overboard in muddy waters with
concrete shoes on, regardless still quite dead.

The sig will always bitwise validate, though what level of value
to place in any sig expiry parameter is up to user. In canary it should
be treated as a bound on validity. Though most seem to make their
validity period statement in the content they're signing over.

As to key revocation, a reup selfsig to that key landed on 2016-10-21,
with five hopefully thoughtful and careful wot sigs over it since then.
With four of them occurring on or after the content expiry date.

Other keys possibly belonging to riseup have not reupped or revoked,
nor may necessarily be known to public wot, such as this on sks
pub  4096R/D6F6C5B4 2010-11-11 archive collective@


The bird is well beyond it's update schedule, therefore it's dead.
Remains to be seen whether there will be an updated canary,
silence, or free speech / destruction possibly including potential
martrydom in the brig.

A revoked key is a revoked key no matter how many people signed it. You take what you can get and think on your feet or YOU'RE the dead canary. Most legal wonks have publicly stated that KILLING A CANARY IS THE EQUIVALENT OF VIOLATING A FISA WARRANT OR GAG ORDER meaning Canaries are damn near useless anyway.

But revoking a sig related to it? Legally obtuse.

You figure it out. Palaver about it all you want. I'll bank on their key not being revoked thanks.

Rr