Re: More on key expiration policy (Re: draft-ietf-openpgp-rfc2440bis-06.txt)
David Shaw <dshaw@jabberwocky.com> Tue, 24 September 2002 13:12 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA26019 for <openpgp-archive@lists.ietf.org>; Tue, 24 Sep 2002 09:12:44 -0400 (EDT)
Received: (from majordomo@localhost) by above.proper.com (8.11.6/8.11.3) id g8OD2mK16302 for ietf-openpgp-bks; Tue, 24 Sep 2002 06:02:48 -0700 (PDT)
Received: from localhost.localdomain (walrus.ne.client2.attbi.com [65.96.217.16]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g8OD2lv16298 for <ietf-openpgp@imc.org>; Tue, 24 Sep 2002 06:02:47 -0700 (PDT)
Received: (from dshaw@localhost) by localhost.localdomain (8.11.6/8.11.6) id g8OD2ao00387 for ietf-openpgp@imc.org; Tue, 24 Sep 2002 09:02:36 -0400
Date: Tue, 24 Sep 2002 09:02:36 -0400
From: David Shaw <dshaw@jabberwocky.com>
To: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: More on key expiration policy (Re: draft-ietf-openpgp-rfc2440bis-06.txt)
Message-ID: <20020924130236.GC2529@akamai.com>
Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org>
References: <Pine.LNX.4.30.QNWS.0209231142100.22100-100000@thetis.deor.org> <00d101c2634b$1b4e2b80$f0c12609@transarc.ibm.com> <20020924105838.E3563@cdc.informatik.tu-darmstadt.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20020924105838.E3563@cdc.informatik.tu-darmstadt.de>
X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560
X-URL: http://www.jabberwocky.com/
User-Agent: Mutt/1.5.1i
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
On Tue, Sep 24, 2002 at 10:58:38AM +0200, Bodo Moeller wrote: > < By default GnuPG uses the expiration date of the self-signature as the > < one for a key signature. This is on Florian Weimer's request and afaik > < is sufficient for him and his use of the PGP PKI. > > I hope Werner meant the *key* expiration date from the self-signature, > not the *signature* expiration date from the self-signature. These > are different packet types. Key expiration dates may be present only > in self-signatures according to the OpenPGP specification, so they > should be translated into signature expiration dates when certifying > keys; see Florians request at > <URL:http://lists.gnupg.org/pipermail/gnupg-devel/2001-July/006196.html>: It is the key expiration date (i.e. subpacket 9, not subpacket 3). I want to point out that this is not something that GnuPG forces on the user. If a key has an expiration date, GnuPG prompts the user "This key is due to expire on x/x/x. Do you want your signature do expire at the same time? (Y/n)". If the signing user says "yes" (the default), then that happens. If the signing user says no, then they are free to pick any expiration time, or none at all. I think that is the most appropriate solution here as the signer is still free to do whatever they like. In an ideal world (which we are not in), I think that a solution that would solve all the concerns here is to define a v5 key format. It could contain an expiration date as part of the key, just like in v3 keys. The expiration date in the key is the "hard" expiration. The user can shorten, but not extend, this via the "soft" expiration date given in the self-signature. (Incidentally, this is what GnuPG does when it encounters v3 keys with v4 self-signatures.) Of course, a new key format would be brutal for interoperability, so is not a good solution. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Jon Callas
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Werner Koch
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Jon Callas
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Werner Koch
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Jon Callas
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Jon Callas
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Derek Atkins
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- RE: draft-ietf-openpgp-rfc2440bis-06.txt Richie Laager
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- RE: draft-ietf-openpgp-rfc2440bis-06.txt Richie Laager
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Len Sassaman
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Expiration semantics (Re: draft-ietf-openpgp-rfc2… Michael Young
- RE: draft-ietf-openpgp-rfc2440bis-06.txt Richie Laager
- More on key expiration policy (Re: draft-ietf-ope… Michael Young
- Re: More on key expiration policy (Re: draft-ietf… Len Sassaman
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Jon Callas
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Michael Young
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: More on key expiration policy (Re: draft-ietf… Bodo Moeller
- Re: More on key expiration policy (Re: draft-ietf… Bodo Moeller
- Re: Expiration semantics (Re: draft-ietf-openpgp-… Bodo Moeller
- Re: More on key expiration policy (Re: draft-ietf… David Shaw
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Derek Atkins
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller
- Re: draft-ietf-openpgp-rfc2440bis-06.txt disastry
- Re: draft-ietf-openpgp-rfc2440bis-06.txt David Shaw
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Len Sassaman
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Michael Young
- Re: draft-ietf-openpgp-rfc2440bis-06.txt David Shaw
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Michael Young
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Adrian von Bidder
- Re: draft-ietf-openpgp-rfc2440bis-06.txt Bodo Moeller