On Tue, Feb 20, 2001 at 03:25:26PM +0100, Adrian Bunk wrote:
> On Mon, 19 Feb 2001, Zed Pobre wrote:
>
> > Just wait, I expect, but I wouldn't worry about looking for
> > sponsors, since uploads from expired keys aren't rejected. The key I
[...]
> Can anyone explain why gpg ignores that a key is expired? I consider this
> a big security hole!
GnuPG will print a warning noting that they key is expired, but
beyond that, you seem to have missed the part where I noted that the
later keytypes actually allow you to CHANGE THE EXPIRE DATE, making it
completely meaningless as a security tool for anything except v3 RSA
keys anyway.
Furthermore, just because a key has gone beyond the expiration
date doesn't mean it's not good to know whether an older message has
been tampered with or not -- i.e. there must be a difference between a
good-but-expired signature and a bad-but-expired signature -- and
therefore an option must be present in any case to tell it to behave
exactly the way it does, which is to verify with a warning.
The only issue seems to be that the worthlessness of key expiration
doesn't seem to be well documented, and that I don't think there's an
option to force GPG to fail on expired sigs if you want it to.
--
Zed Pobre <zed@debian.org> a.k.a. Zed Pobre <zed@resonant.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.
Attachment:
pgpxGKqc4iN1m.pgp
Description: PGP signature