RFC 4880, "OpenPGP Message Format", November 2007Source of RFC: openpgp (sec)
See Also: RFC 4880 w/ inline errata
Errata ID: 3298
Publication Format(s) : TEXT
Reported By: Daniel Kahn Gillmor
Date Reported: 2012-07-27
Verifier Name: Stephen Farrell
Date Verified: 2013-03-16
Section 5.2.4 says:
Key revocation signatures (types 0x20 and 0x28) hash only the key being revoked.
It should say:
Primary key revocation signatures (type 0x20) hash only the key being revoked. Subkey revocation signature (type 0x28) hash first the primary key and then the subkey being revoked.
This amendment to subkey revocation signatures is intended to align the spec with existing implementations. (it also makes the subkey revocation signatures more symmetric with the subkey binding signatures).
GnuPG (all known versions with subkey support) hashes both keys, as does PGP (tested at version 6.5.8). I'm unaware of any other OpenPGP implementation that actually complies with the spec as written for subkey revocations.
This was apparently noticed (but apparently ignored) back in 2000 (see point 2 of ) and was recently discussed again on the IETF list .