[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG ignoresthat a key is expired

On Tue, Feb 20, 2001 at 03:25:26PM +0100, Adrian Bunk wrote:
> On Mon, 19 Feb 2001, Zed Pobre wrote:
> >     Just wait, I expect, but I wouldn't worry about looking for
> > sponsors, since uploads from expired keys aren't rejected.  The key I
> Can anyone explain why gpg ignores that a key is expired? I consider this
> a big security hole!

    GnuPG will print a warning noting that they key is expired, but
beyond that, you seem to have missed the part where I noted that the
later keytypes actually allow you to CHANGE THE EXPIRE DATE, making it
completely meaningless as a security tool for anything except v3 RSA
keys anyway.
    Furthermore, just because a key has gone beyond the expiration
date doesn't mean it's not good to know whether an older message has
been tampered with or not -- i.e. there must be a difference between a
good-but-expired signature and a bad-but-expired signature -- and
therefore an option must be present in any case to tell it to behave
exactly the way it does, which is to verify with a warning.
    The only issue seems to be that the worthlessness of key expiration
doesn't seem to be well documented, and that I don't think there's an
option to force GPG to fail on expired sigs if you want it to.

Zed Pobre <zed@debian.org> a.k.a. Zed Pobre <zed@resonant.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.

Attachment: pgpxGKqc4iN1m.pgp
Description: PGP signature

Reply to: