The revoke key method in openssl encrypt server/modules/keyserver/service.py at lines 195-270 accepts a client id parameter but never verifies that the requesting client is the same as key.owner client id.

Any authenticated client can revoke any other client's key, as long as they provide a valid revocation signature. While the signature requirement mitigates this somewhat (you need the private key to sign), the lack of ownership check is a defense-in-depth gap.

Fixed in commit 05e45f3 on branch releases/1.4.x — added documentation that ML-DSA signature verification IS the cryptographic ownership check; added info-level logging on successful verification.