encrypting to expired certificates

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Sep 16 16:26:31 CEST 2014 

On 09/16/2014 10:04 AM, Nicholas Cole wrote:
> Can anyone explain to me why one would want to continue using a key
> and yet not simply change the expiry date?  I really find all of the
> examples being given to be incredibly contrived.

"incredibly contrived" suggests that the people who are reporting the
scenarios have made them up.  I did not make up either example, and i
doubt that Peter or Hauke did either.  They simply happened, and we
experienced them and are reporting them.  Do you really think any of us
made them up?

> It takes no time at
> all these days to change the date and distribute the new key.  

Yes, it is trivial to update the expiration and publish it if (a) you
know how, and (b) you don't have an offline master key.

In fact, for updating the primary key, it is just:

 gpg --edit-key $PGPID expire
 gpg --send-key $PGPID

But sometimes, it is the encryption-capable subkey that is the thing
that expired.  in that case, it's a little bit more complex:

 gpg --edit-key $PGPID
  gpg> key 1
  gpg> expire
  gpg> save
 gpg --send-key $PGPID

of course, it might be "key 2" or something else if you have more than
one subkey.

i've definitely seen people update their primary key's expiration date
and fail to update the expiration date of their subkey, so they have a
valid cert, but it still can't be used for encryption.  So they have to
go back and do the second step later, after a poke from someone more
knowledgeable about OpenPGP who figures out why no one can encrypt
messages to them.

Is it getting complicated enough yet for you to believe these real-world
reports?

The cost is not just the time to do it, it's the time to:

 0) understand what needs to be done
 1) figure out the interface to do it

This is non-trivial, for most people: the context switch alone from
"regular work" to "thinking about key management" is expensive and
distracting.   And it is also scary -- people who understand a little
about key management have probably heard that if you screw it up, you
can screw up pretty big, in unrecoverable ways.

So there are both cognitive and emotional barriers to overcome, in
addition to the time it takes.

> As I've
> said, if the tools to do this kind of thing easily do not exist, they
> need to be created.

Do you know of any tools that do this easily for users who don't already
think about key management daily?  I don't, unfortunately.  And even if
they exist, some people might not have access to them.

I'm all for building those friendly key-management tools, i would love
to see them.  But we need to also let people use the tools we have in
light of real-world scenarios.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140916/07893bd4/attachment.sig>

More information about the Gnupg-users mailing list