GPG ignoresthat a key is expired

To: Zed Pobre <zed@debian.org>
Cc: <debian-security@lists.debian.org>, <gnupg@packages.debian.org>
Subject: GPG ignoresthat a key is expired
From: Adrian Bunk <bunk@fs.tum.de>
Date: Tue, 20 Feb 2001 15:25:26 +0100 (CET)
Message-id: <Pine.NEB.4.33.0102201521100.9743-100000@io.fachschaften.tu-muenchen.de>
In-reply-to: <20010219175205.B16661@resonant.org>

On Mon, 19 Feb 2001, Zed Pobre wrote:

>     Just wait, I expect, but I wouldn't worry about looking for
> sponsors, since uploads from expired keys aren't rejected.  The key I
> use for uploading expired some months ago, and although my new key
> still hasn't been put in the keyring, I'm not having any problems
> uploading.
>...

<--  snip  -->

$ gpg --verify  mtools_3.9.7+20001213-2_i386.changes
gpg: Signature made Sun Jan 14 19:35:31 2001 CET using DSA key ID 6A40C91E
gpg: Good signature from "Adrian Bunk <bunk@fs.tum.de>"
gpg:                 aka "Adrian Bunk <bunk@debian.org>"
$ gpg --list-keys 6A40C91E
pub  1024D/6A40C91E 2000-08-20 Adrian Bunk <bunk@fs.tum.de>
uid                            Adrian Bunk <bunk@debian.org>
sub  2048g/66774AB6 2000-08-20 [expires: 2001-02-16]

$ date
Tue Feb 20 15:24:03 CET 2001
$

<--  snip  -->


Can anyone explain why gpg ignores that a key is expired? I consider this
a big security hole!

cu
Adrian

-- 

Nicht weil die Dinge schwierig sind wagen wir sie nicht,
sondern weil wir sie nicht wagen sind sie schwierig.

Reply to:

Follow-Ups:
- Re: GPG ignoresthat a key is expired
  - From: Zed Pobre <zed@resonant.org>

Prev by Date: Re: OpenSSH and CVS
Next by Date: Re: GPG ignoresthat a key is expired
Previous by thread: Re: snort problem
Next by thread: Re: GPG ignoresthat a key is expired
Index(es):
- Date
- Thread