[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Behavior of implementations regarding certain key material
On Tue, May 30, 2000 at 03:58:57PM -0700, hal@xxxxxxxxxx wrote:
> Paul Koning writes, quoting Len Sassaman:
>>> Eh? If you sign my key, and then your *key* expires, your
>>> signature is still included in validity calculations for my
>>> key. Even after your key expires. (However, you had to sign my key
>>> prior to the expiration of yours).
>> Agreed; that's what I meant. (Checking the signature requires a key
>> that was good at the time that signature was created. It's the
>> signature that is being verified, and the date of that signature is
>> what matters.)
> The problem is that we don't have a mechanism for securely timestamping
> signatures. If someone breaks or steals an expired key, they can create
> a back-dated signature with it.
> In my opinion it is risky to rely on a signature by an expired key.
Possibly, but ignoring keys on the grounds that they are expired does
not buy you much because of the expiry date protocol failure in the
OpenPGP key format. I've brought this up some time ago on this
mailing list, here's a reminder:
In the old PGP key format, key certification covers the expiration
time, and all is well. (The validity period [key creation time and key
expiration time] is part of the version 3 public key packet.)
However, in the current OpenPGP key format, the key expiration time is
covered only by self-signatures. (A version 4 public key packet
cannot specify a validity period. The key validity period is in the
signature packet instead.) Thus, if someone breaks or steals an
expired OpenPGP key, they can renew it, and the old certificates will
remain valid for the key with extended validity period or unlimited
Fix: Always include a signature expiration time when certifying a key
that has a key expiration date in its self-signature; the time must be
chosen such that the certificate's validity does not extend further
into the future than the key's validity.
The bottom line is that if you don't want to rely on signatures by
expired keys, then you cannot rely on any certificates that don't
contain a signature expiration time (unless the certified key
is in a version 3 public key packet).
Bodo Möller <moeller@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036