0.9.0 expiration date: does not work

Matthew Skala mskala at ansuz.sooke.bc.ca
Mon Jan 4 19:34:29 CET 1999

On Mon, 4 Jan 1999, Bodo Moeller wrote:
> That's a possibility, but it's somewhat awkward.  Also, for decryption
> keys that I keep just in order to be able to decrypt old stuff, I
> would not really want to change the expiration date: The key _is_
> expired, I have no intention to change that -- I simply want to use
> it anyway.

I think it's arguable that using an expired key for decryption should be
allowed *by default* anyway.  What exactly does the expiry date mean?  It
seems to me that it means "Don't send me any messages to this key, nor
accept any signatures from this key, after this date."  After my key
expires I generate a new one for new traffic, but I should still be able
to use the old one to read my old traffic.  It should not stop working for
decryption after it expires.  On the other hand, it *should* stop working
by default for *signatures*, because if I make signatures with it after
the expiry date then they will look bad to the verifier, and I shouldn't
be able to do that by accident.

I think the Right Thing to do is:

- Signing with an expired key doesn't work by default, does work with a
  special option.
- Verifying a signature that appears to have been made by an expired key
  after its expiry date but is otherwise good reports the signature as BAD,
  preferably with a message indicating that it's a key-expiry problem rather
  than a cryptographically bad signature.
- Verifying a signature from a key that is now expired, where the
  signature was made before the expiry date, reports the signature as
  GOOD, possibly with a warning that the key has since expired.
- Encrypting to an expired key doesn't work by default, does work with a
  special option.
- Decrypting always works, if you have the appropriate secret key and

The third girl had an upside-down penguin on       Matthew Skala
her stomach, so the doctor told her, "I'll           Ansuz BBS
examine you for free, if you and your             (250) 472-3169
boyfriend will debug my Web server."    http://www.islandnet.com/~mskala/

More information about the Gnupg-devel mailing list