Re: More on key expiration policy (Re: draft-ietf-openpgp-rfc2440bis-06.txt)
Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de> Tue, 24 September 2002 09:03 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA20554 for <openpgp-archive@lists.ietf.org>; Tue, 24 Sep 2002 05:03:48 -0400 (EDT)
Received: (from majordomo@localhost) by above.proper.com (8.11.6/8.11.3) id g8O8wgd27027 for ietf-openpgp-bks; Tue, 24 Sep 2002 01:58:42 -0700 (PDT)
Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g8O8wev27020 for <ietf-openpgp@imc.org>; Tue, 24 Sep 2002 01:58:40 -0700 (PDT)
Received: from cdc-ws13.cdc.informatik.tu-darmstadt.de (cdc-ws13 [130.83.23.73]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with ESMTP id 3B7142C8E; Tue, 24 Sep 2002 10:58:40 +0200 (MET DST)
Received: (from moeller@localhost) by cdc-ws13.cdc.informatik.tu-darmstadt.de (8.10.2+Sun/8.10.2) id g8O8wcs03623; Tue, 24 Sep 2002 10:58:38 +0200 (MEST)
Date: Tue, 24 Sep 2002 10:58:38 +0200
From: Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de>
To: Michael Young <mwy-opgp97@the-youngs.org>
Cc: OpenPGP <ietf-openpgp@imc.org>, Werner Koch <wk@gnupg.org>
Subject: Re: More on key expiration policy (Re: draft-ietf-openpgp-rfc2440bis-06.txt)
Message-ID: <20020924105838.E3563@cdc.informatik.tu-darmstadt.de>
References: <Pine.LNX.4.30.QNWS.0209231142100.22100-100000@thetis.deor.org> <00d101c2634b$1b4e2b80$f0c12609@transarc.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.2.5i
In-Reply-To: <00d101c2634b$1b4e2b80$f0c12609@transarc.ibm.com>; from mwy-opgp97@the-youngs.org on Mon, Sep 23, 2002 at 05:49:34PM -0400
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 8bit
On Mon, Sep 23, 2002 at 05:49:34PM -0400, Michael Young wrote: > "Len Sassaman" <rabbi@abditum.com>: >> The question I see is this: are key expiration dates a "mandate" or a >> "suggestion" to third parties by the key owner? > More precisely, are expiration times rewriteable? > > I'm afraid that the answer has to be YES. The specification has > clearly said so for a while now, and at least one implementation > (GnuPG) offers this capability. If we change the rules now, > anyone who has taken advantage of it (or set a short expiration > time with the expectation that they can change it) will be > seriously disappointed. Actually, they won't! My proposal was: When Bob signs a certificate for Alice's key (which presumably he does only when Alice has told him that she considers her key valid), he looks at all valid self-signatures and finds the one for with key expiry is the furthest away. This determines is the maximum validity he should use for his certification (unless Alice tells him otherwise). So if your key has a short expiration time, you can extend it, and new certifications will use the new expiration time. You mentioned GnuPG. Note that GnuPG apparently already handles key expiration in a safe way during certification: < From: Werner Koch <wk@gnupg.org> < To: Jon Callas <jon@callas.org> < Cc: Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de>, < OpenPGP <ietf-openpgp@imc.org> < Subject: Re: draft-ietf-openpgp-rfc2440bis-06.txt < Date: Sat, 21 Sep 2002 11:59:22 +0200 < By default GnuPG uses the expiration date of the self-signature as the < one for a key signature. This is on Florian Weimer's request and afaik < is sufficient for him and his use of the PGP PKI. I hope Werner meant the *key* expiration date from the self-signature, not the *signature* expiration date from the self-signature. These are different packet types. Key expiration dates may be present only in self-signatures according to the OpenPGP specification, so they should be translated into signature expiration dates when certifying keys; see Florians request at <URL:http://lists.gnupg.org/pipermail/gnupg-devel/2001-July/006196.html>: < [My patch] is a bit more complicated because it also works around the < protocol error in RFC 2440 related to V4 key expiration (V4 key < expiration time is not covered by certificates because it is only < contained in the self signature, not in the key material, in contrast < to V3 keys): If the key to be signed is a V4 key with an expiration < time set, a V4 signature is made which expires at that time, too (or < even earlier). -- Bodo Möller <moeller@cdc.informatik.tu-darmstadt.de> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Jon Callas
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Werner Koch
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Jon Callas
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Werner Koch
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Jon Callas
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Jon Callas
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Derek Atkins
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- RE: draft-ietf-openpgp-rfc2440bis-06.txt Richie Laager
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- RE: draft-ietf-openpgp-rfc2440bis-06.txt Richie Laager
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Len Sassaman
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Expiration semantics (Re: draft-ietf-openpgp-rfc2… Michael Young
- RE: draft-ietf-openpgp-rfc2440bis-06.txt Richie Laager
- More on key expiration policy (Re: draft-ietf-ope… Michael Young
- Re: More on key expiration policy (Re: draft-ietf… Len Sassaman
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Jon Callas
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Michael Young
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: More on key expiration policy (Re: draft-ietf… Bodo Moeller
- Re: More on key expiration policy (Re: draft-ietf… Bodo Moeller
- Re: Expiration semantics (Re: draft-ietf-openpgp-… Bodo Moeller
- Re: More on key expiration policy (Re: draft-ietf… David Shaw
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Derek Atkins
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt disastry
- Re: draft-ietf-openpgp-rfc2440bis-06.txt David Shaw
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Len Sassaman
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Michael Young
- Re: draft-ietf-openpgp-rfc2440bis-06.txt David Shaw
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Michael Young
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Adrian von Bidder
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller