Re: Expired GPG keys of older release

To: debian-user@lists.debian.org
Subject: Re: Expired GPG keys of older release
From: Richard Hector <richard@walnut.gen.nz>
Date: Mon, 25 Jun 2018 11:49:27 +1200
Message-id: <[🔎] 6168fa89-fd99-a92e-9cab-c00d381e3b82@walnut.gen.nz>
In-reply-to: <[🔎] m3k1qqll6v.fsf@carbon.jhcloos.org>
References: <[🔎] ddca0514-7d2b-2a77-4246-e0c4525125cb@hitec.lu> <[🔎] 20180620072102.GA18456@tuxteam.de> <[🔎] m3k1qqll6v.fsf@carbon.jhcloos.org>

On 23/06/18 06:39, James Cloos wrote:
>>>>>> "T" == <tomas@tuxteam.de> writes:
> 
> T> And just extending the keys' validity (as someone proposed in this
> T> thread) seems a bad idea too, since the requirement for secure keys
> T> evolves over time, as the NSA^H^H^H bad guys buy more GPUs.
> 
> The problem is that the point of a key's expiration time is that
> signatures newer than that should fail, but all signatures made before
> the expiration should verify.
> 
> So, if apt's signature verification only looks at the key's expiration
> date and not at the signature's timestamp, that is a bug.

Disagree. If someone has a copy of the expired key (which is what
compromised means, right?), then they can fake the timestamp.

Richard

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Expired GPG keys of older release
  - From: Adam Cecile <adam.cecile@hitec.lu>
- Re: Expired GPG keys of older release
  - From: <tomas@tuxteam.de>
- Re: Expired GPG keys of older release
  - From: James Cloos <cloos@jhcloos.com>

Prev by Date: Re: hardware update boot trouble
Next by Date: Re: What is "discover -t" saying?
Previous by thread: Re: Expired GPG keys of older release
Next by thread: Show event from KOrganizer to Panel calendar
Index(es):
- Date
- Thread