revocation_keys should get designated revokers from all valid self signatures
Amalgamation::revocation_keys
looks for designated revoker subpackets on the current direct key signature and the current binding signature. I think this is not enough: it should consider all valid signatures ever made. And, I mean ever, not only those valid at self.time
! There are two reasons for this: First, like with hard revocations, we don't want an attacker to be able to invalidate a designated revoker packet. Second, the RFC says:
If the "sensitive" flag is set, the keyholder feels this subpacket
contains private trust information that describes a real-world
sensitive relationship. If this flag is set, implementations SHOULD
NOT export this signature to other users except in cases where the
data needs to be available
This suggests that the signature with the designated revoker packet may be made available by the designated revoker later. If the user were to create a new self signature, this would invalidate the signature with the designated revoker packet, which defeats the purpose of this scheme.