Re: [openpgp] Clarification: calculation of key expiration time
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 08 February 2019 20:50 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96078130FF3 for <openpgp@ietfa.amsl.com>; Fri, 8 Feb 2019 12:50:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvqs4qeSNXLp for <openpgp@ietfa.amsl.com>; Fri, 8 Feb 2019 12:50:36 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3A1B130FF2 for <openpgp@ietf.org>; Fri, 8 Feb 2019 12:50:36 -0800 (PST)
Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 298A0F99A; Fri, 8 Feb 2019 15:50:35 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id A94B2204ED; Fri, 8 Feb 2019 14:49:17 -0600 (CST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Paul Fawkesley <paul@fluidkeys.com>, openpgp@ietf.org
In-Reply-To: <0be845d0-bd98-d021-7bc9-5f6562323cd4@fluidkeys.com>
References: <0be845d0-bd98-d021-7bc9-5f6562323cd4@fluidkeys.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Fri, 08 Feb 2019 15:49:17 -0500
Message-ID: <87r2cixaya.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/SKB8ze-jfsh7cJq6iTt_8yS4Cyc>
Subject: Re: [openpgp] Clarification: calculation of key expiration time
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2019 20:50:39 -0000
On Thu 2019-02-07 09:34:13 +0000, Paul Fawkesley wrote:
> There's an open issue[1] on Golang's openpgp library about calculating
> key expiration time.
>
> I believe it is currently calculated incorrectly and would appreciate a
> second opinion.
>
> The code[2] currently reads:
>
> ```
> // KeyExpired returns whether sig is a self-signature of a key that has
> // expired.
> func (sig *Signature) KeyExpired(currentTime time.Time) bool {
> if sig.KeyLifetimeSecs == nil {
> return false
> }
> expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) *
> time.Second)
> return currentTime.After(expiry)
> }
> ```
>
> So they're using _signature creation time_ + key expiration time (seconds)
>
> The spec[3] seems pretty clear that you should use _key creation time_ +
> key expiration time (seconds):
>
>> 5.2.3.6. Key Expiration Time
>>
>> (4-octet time field)
>>
>> The validity period of the key. This is the number of seconds after
>> the key creation time that the key expires. If this is not present
>> or has a value of zero, the key never expires. This is found only on
>> a self-signature.
>
> So it seems to me it's a bug, unless I'm missing something?
I agree with you that this is a bug in Golang's openpgp library. I've
followed up on https://github.com/golang/go/issues/22312 accordingly.
--dkg
- [openpgp] Clarification: calculation of key expir… Paul Fawkesley
- Re: [openpgp] Clarification: calculation of key e… Daniel Kahn Gillmor