Best practice for periodic key change?

[MFPA]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 7 May 2011 at 1:09:25 PM, in
<mid:BANLkTimpo-Bwz38icRFC-CudrkH968fhZQ at mail.gmail.com>, Jerome Baum
wrote:

> Then I would say it is the recipients responsibility to
> only accept "reasonable" signatures.

Fair enough. "Reasonable" is subjective.



> As you say, it is
> only an "attempt" to generate deniability -- nobody
> who's right in their mind would accept a signature on a
> document that is dated before the document itself.

In which case your attempt to generate plausible deniability would
have fooled anybody "who's right in their mind" (because they all
believe the signature timestamp has some meaning besides being the
time/date your system clock happened to be set on when you created the
signature). I'm not sure I buy that.



> Assuming a responsible recipient, the expiration date
> makes sense. Yes, a responsible recipient would refresh
> their keys. Yes, man-in-the-middle. The expiration date
> makes a difference here.

In the edge-case scenario you described previously (where the key only
expired the previous day) I doubt it would make much difference. Even
the weak evidence of the email headers and server logs suggesting your
system clock had been incorrectly set a day behind could be enough to
make your deniability implausible.


> But I
> have no idea of knowing when it was signed, so I have
> to assume it is when it was allegedly signed

That was exactly my point.



> -- and
> yes, this is a problem under certain circumstances.
> However, there is at least one circumstance where the
> expiration date *does* make a difference, which is the
> document dated in the future relative to the signature
> timestamp, from a then-already expired key. So in at
> least one case, the expiration date helps.

A non-digital example of a document signed with a date in the future
is the post-dated cheque, which is supposed to be worthless until the
date written on it. Several people sent me cheques as wedding gifts,
which they dated with our wedding day but we received them during the
couple of weeks before. Most of those were banked the day after we
received them, rather than waiting until we returned from our
honeymoon. A bank clerk tried to refuse the last one I paid in on the
Friday afternoon before our wedding but I persisted and he accepted
it.

The date in the future should have made a difference to those cheques
but did not. (In the case of the last cheque that was queried, it made
no difference because it would be the Monday two days *after* the date
on the cheque that it was presented to the payee's branch for
payment.)

I suspect that fact of the signature timestamp and the key expiry date
being before the date stated on the document, is something it would be
unwise to rely upon in court. Especially if the other side produced an
"expert" witness who testified about the triviality of altering a
system clock.



> Let's get a concrete idea of such a "document". Say I
> want a statement from you that you legally have access
> to an email account today. Today is 2011-05-07. I have
> your key, with a signing sub-key that expired in 2010.
> I refresh your key but Mallory manipulates the traffic
> and so a revocation certificate wouldn't have helped.
> It's a good thing that your sub-key expired, though,
> because I won't accept the signature from that sub-key
> as I'm looking for an up-to-date statement. In fact,
> I'll probably want: "As of 2011-05-07, I legally have
> access to email at example.com". There is *no way* I would
> accept that when the signature is dated in 2010.

Several months out (because it expired last year) is different to your
previous case of several hours out (because it expired yesterday). I
could put the clock back exactly a year and some recipients may not
spot one digit being different, but they are more likely to notice
that than to notice the day being off (unless it occurs early in the
new year before they have got used to spotting the year without
thinking about it).



> Does that make my point more clear? I wasn't saying
> that under all circumstances the expiration date helps.
> That would be crazy. I was saying that there are
> circumstances where it does,

It helps to raise a question in the mind of the person viewing the
signature (if they spot it).



> and since the cost is so
> low, that there is no point in not having them
> (assuming, of course, that you separate master and
> sub-keys).

You can't assume.


- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

Life is a holiday. In the same way that glass is a liquid.
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNxU8TnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pvD8EAIA6
yHvGXM/rrzbfEpsGMptqQcVNOTFPgH8xxqdJpVrvlu1OYZ3OhHiW4kQV+vGVIzn6
SWci1bAJ3sI15o9cBIRIRoiA4lJhh7JBkgsoQ4o/ToS0QncD16cjZ46nyhPTFVfD
HZfAxArfylJ6+603yA7xycf2Lh++2uzaQV4+wFtu
=97P4
-----END PGP SIGNATURE-----