On Tue, Feb 20, 2001 at 03:25:26PM +0100, Adrian Bunk wrote: > On Mon, 19 Feb 2001, Zed Pobre wrote: > > > Just wait, I expect, but I wouldn't worry about looking for > > sponsors, since uploads from expired keys aren't rejected. The key I [...] > Can anyone explain why gpg ignores that a key is expired? I consider this > a big security hole! GnuPG will print a warning noting that they key is expired, but beyond that, you seem to have missed the part where I noted that the later keytypes actually allow you to CHANGE THE EXPIRE DATE, making it completely meaningless as a security tool for anything except v3 RSA keys anyway. Furthermore, just because a key has gone beyond the expiration date doesn't mean it's not good to know whether an older message has been tampered with or not -- i.e. there must be a difference between a good-but-expired signature and a bad-but-expired signature -- and therefore an option must be present in any case to tell it to behave exactly the way it does, which is to verify with a warning. The only issue seems to be that the worthlessness of key expiration doesn't seem to be well documented, and that I don't think there's an option to force GPG to fail on expired sigs if you want it to. -- Zed Pobre <zed@debian.org> a.k.a. Zed Pobre <zed@resonant.org> PGP key and fingerprint available on finger; encrypted mail welcomed.
Attachment:
pgpxGKqc4iN1m.pgp
Description: PGP signature