RE: draft-ietf-openpgp-rfc2440bis-06.txt

"Richie Laager" <> Mon, 23 September 2002 17:55 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id NAA18565 for <>; Mon, 23 Sep 2002 13:55:50 -0400 (EDT)
Received: (from majordomo@localhost) by (8.11.6/8.11.3) id g8NHmOq09781 for ietf-openpgp-bks; Mon, 23 Sep 2002 10:48:24 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with ESMTP id g8NHmMv09776 for <>; Mon, 23 Sep 2002 10:48:23 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.6) with SMTP id g8NHmKS04529 for <>; Mon, 23 Sep 2002 12:48:20 -0500
Received: from ([]) by (NAVGW with SMTP id M2002092312402211534 ; Mon, 23 Sep 2002 12:40:22 -0500
Received: from NB1131 ([]) (authenticated) by (8.11.6/8.11.6) with ESMTP id g8NHmDh28285; Mon, 23 Sep 2002 12:48:13 -0500
From: "Richie Laager" <>
To: "'Bodo Moeller'" <>, "'Derek Atkins'" <>
Cc: "'Jon Callas'" <>, "'OpenPGP'" <>
Subject: RE: draft-ietf-openpgp-rfc2440bis-06.txt
Date: Mon, 23 Sep 2002 12:48:16 -0500
Organization: Wikstrom Telecom Internet
Message-ID: <000e01c26329$65730180$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
In-Reply-To: <>
Importance: Normal
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
Content-Transfer-Encoding: 7bit

Hash: SHA1

> -----Original Message-----
> From: 
> [] On Behalf Of Bodo Moeller
> Sent: Monday, September 23, 2002 9:01 AM
> To: Derek Atkins
> Cc: Jon Callas; OpenPGP
> Subject: Re: draft-ietf-openpgp-rfc2440bis-06.txt
> On Mon, Sep 23, 2002 at 09:55:19AM -0400, Derek Atkins wrote:

> Yes he can -- this is exactly the problem [1] that I want to solve
> with my suggested change to the specification.  The way Jon wants
> to use key expiration, the bad guy can keep the key alive
> indefinitely. I call this a protocol failure, he calls it a
> feature.

I've been following this thread somewhat, and I have the following

IIRC, key expirations are stored in the self-signature. So, a PGP
client could take all of the valid self-signatures, and compare
expiration dates. The oldest one would be honored.

This means that you cannot extend the key expiration. However, if you
don't want an attacker to be able to extend the key expiration if he
or she has the private key, this also means that the legitimate owner
of key cannot be allowed to extend the expiration date.

There is another large flaw with this plan. An attacker would only
need to revoke the self-signature, thus making it invalid. So, for
the meaning of this discussion, a "valid self-signature" would be one
that is correct in cryptographic terms, but revocations are ignored.

Deleting the other self-signatures would work, but since keyservers
only add to a key, synchronization with a keyserver could defeat this
attack method. However, if we ever implement the "no-modify" flag,
there is no reason the attacker (with possession of the private key)
couldn't send the key to the keyserver with the other signatures
deleted and the "no-modify" flag set. So, this may require that
keyservers maintain all self-signatures, even if the "no-modify" flag
is set.

So, to recap, if you ignore my implementation notes, the following
choice needs to be made:
1. Is extending a key expiration date by a key's owner a REQUIRED
action. If not, this is feasible. If so, I can't think of a way to do

Richard Laager

Version: PGP 7.0.4