[Announce] A new GnuPG snapshot (unstable)

Stefan H. Holek stefan at epy.co.at
Sun Nov 4 17:40:02 CET 2001


--On Samstag, 03. November 2001 15:42 +0100 Werner Koch <wk at gnupg.org> 
wrote:

> On Sat, 3 Nov 2001 13:41:52 +0100 (CET), Stefan H Holek said:
>
>> I gave 1.0.6b a spin recently and found that the trustdb stuff has
>> considerably improved over 1.0.6. This is good news! Even expired keys
>> do now work for key validation, they did not in plain 1.0.6...
>
> I hope you mean that they are not used for key validation ...

Oh. But they are, and I think this is good ;-)

The situation is that I have a key that is about to expire, so I want to 
create a new key and sign it with the old one to transfer its trust.

I first tried this about a year ago (with 1.0.4, admittedly) and failed 
because when the signing key expired, it no longer worked for validation.
http://lists.gnupg.org/pipermail/gnupg-users/2000-October/006846.html

Now I created a scenario where Alice has signed Carol's key and Carol has 
signed Donna's. Furthermore Alice trusts Carol completely and thus has a 
path to Donna. I then expired Carol's key to look at the consequences.

before expiration (listing by 1.0.6):
/home/alice/.gnupg/pubring.gpg
------------------------------
pub:u:1024:17:00C2AC030BCAA0B3:2001-11-01:2002-04-30:59:-:Alice::scESC:
sub:u:1024:16:0992322301BF90FB:2001-11-01:2002-04-30:59::::e:
pub:f:1024:17:1F80257527E73A47:2001-11-01:2001-11-03:64:f:Carol::scESC:
sub:f:1024:16:4744413994545EC4:2001-11-01:2002-04-30:64::::e:
pub:f:1024:17:8C20015102AC7E32:2001-11-01:2002-04-30:70:-:Donna::scESC:
sub:f:1024:16:6DE1D75D64BB1C1C:2001-11-01:2002-04-30:70::::e:

after expiration in 1.0.6:
/home/alice/.gnupg/pubring.gpg
------------------------------
pub:u:1024:17:00C2AC030BCAA0B3:2001-11-01:2002-04-30:59:-:Alice::scESC:
sub:u:1024:16:0992322301BF90FB:2001-11-01:2002-04-30:59::::e:
pub:e:1024:17:1F80257527E73A47:2001-11-01:2001-11-03:::Carol::scE:
sub::1024:16:4744413994545EC4:2001-11-01:2002-04-30:::::e:
pub:q:1024:17:8C20015102AC7E32:2001-11-01:2002-04-30:70:-:Donna::scESC:
sub:q:1024:16:6DE1D75D64BB1C1C:2001-11-01:2002-04-30:70::::e:

after expiration in 1.0.6b:
/home/alice/.gnupg/6b/pubring.gpg
---------------------------------
pub:u:1024:17:00C2AC030BCAA0B3:2001-11-01:2002-04-30:::Alice::scESC:
sub:u:1024:16:0992322301BF90FB:2001-11-01:2002-04-30:::::e:
pub:e:1024:17:1F80257527E73A47:2001-11-01:2001-11-03:::Carol::scE:
sub::1024:16:4744413994545EC4:2001-11-01:2002-04-30:::::e:
pub:f:1024:17:8C20015102AC7E32:2001-11-01:2002-04-30:::Donna::scESC:
sub:f:1024:16:6DE1D75D64BB1C1C:2001-11-01:2002-04-30:::::e:

As you can see, Donna is still trusted in 1.0.6b whereas in 1.0.6 Donna's 
validity is lost. IMO the new behavior is correct as it should be 
possible to verify signatures even after the key making them has expired, 
and because Alice still trusts Carol's certification.

[snip]

And thanks for the explanations,
Stefan




More information about the Gnupg-devel mailing list