Expired keys/sigs untrusted? (longish)
Stefan H. Holek
stefan@epy.co.at
Mon, 23 Oct 2000 20:53:30 +0200 (CEST)
I seem to not get it at all!
To play around with trust propagation I created three users - Alice,
Carol, and Donna - each of which got their own OpenPGP key pair created
with GnuPG 1.0.4.
- Alice receives Carol's public key from Carol, signs it, and marks it
as fully trusted.
- Donna receives Alice's public key from Alice and signs it.
- Carol receives Donna's public key from Donna and signs it.
- Alice receives Donna's public key from Carol (with Carol's signature).
As a result, Alice and Donna can communicate securely as Donna's public
key is certified by Carol's key (which Alice fully trusts).
Fine.
- Carol's key will expire in the near future so she creates a new key,
signs it with her old key, and distributes it to Alice.
- Alice takes no extra steps, as Carol's new key is certified by Carols's
old key (which Alice had originally signed and still fully trusts).
Alice and Donna can still communicate securely (of course).
- Carol's old key expires. -> BANG!
In Alice's keyring/trustdb Carol's old key goes to 'e'
and as a result (?) Carol's new key - and Donna's key - go to 'q'.
No more trust! Alice can no longer securely communicate with neither Carol
nor Donna.
What am I missing? I have found in the PGP documentation that expired
keys can still be used for signature verification and decryption. I have
asked on this list a couple of months ago, how to retain trust in case of
key expiration, and was advised to make a new key and sign it with the
soon-to-expire key. I believe this is exactly what I did in this
scenario. Still - no cigar.
Alice, BEFORE Carol's old key expired:
alice$ gpg --list-sigs --with-colons
/home/alice/.gnupg/pubring.gpg
------------------------------
pub:u:1024:17:F7B74CE18EAC25D9:2000-10-22:2000-11-21:59:-:alice:
sig:::17:F7B74CE18EAC25D9:2000-10-22::::alice:13:
sub:u:1024:16:86D98572963702B9:2000-10-22:2000-11-21:59::
sig:::17:F7B74CE18EAC25D9:2000-10-22::::alice:18:
pub:f:1024:17:652036D1A9CF22EF:2000-10-22:2000-10-23:64:f:carol:
sig:::17:652036D1A9CF22EF:2000-10-22::::carol:13:
sig:::17:F7B74CE18EAC25D9:2000-10-22::::alice:10:
sub:f:1024:16:DC27A7D9B0A2EDF9:2000-10-22:2000-10-23:64::
sig:::17:652036D1A9CF22EF:2000-10-22::::carol:18:
pub:f:1024:17:EF0BFB5FADE1F924:2000-10-22:2000-11-21:70:-:donna:
sig:::17:EF0BFB5FADE1F924:2000-10-22::::donna:13:
sig:::17:652036D1A9CF22EF:2000-10-22::::carol:10:
sub:f:1024:16:B38BE8E5E2151A96:2000-10-22:2000-11-21:70::
sig:::17:EF0BFB5FADE1F924:2000-10-22::::donna:18:
pub:f:1024:17:79E5918493B222B9:2000-10-23:2000-11-22:76:-:carol:
sig:::17:79E5918493B222B9:2000-10-23::::carol:13:
sig:::17:652036D1A9CF22EF:2000-10-23::::carol:10:
sub:f:1024:16:D122765CB048DF95:2000-10-23:2000-11-22:76::
sig:::17:79E5918493B222B9:2000-10-23::::carol:18:
Alice, AFTER Carol's old key expired:
alice$ gpg --list-sigs --with-colons
/home/alice/.gnupg/pubring.gpg
------------------------------
pub:u:1024:17:F7B74CE18EAC25D9:2000-10-22:2000-11-21:59:-:alice:
sig:::17:F7B74CE18EAC25D9:2000-10-22::::alice:13:
sub:u:1024:16:86D98572963702B9:2000-10-22:2000-11-21:59::
sig:::17:F7B74CE18EAC25D9:2000-10-22::::alice:18:
gpg: key A9CF22EF.64: expired at Mon Oct 23 19:03:47 2000 CEST
pub:e:1024:17:652036D1A9CF22EF:2000-10-22:2000-10-23:64:f:carol:
sig:::17:652036D1A9CF22EF:2000-10-22::::carol:13:
sig:::17:F7B74CE18EAC25D9:2000-10-22::::alice:10:
sub:e:1024:16:DC27A7D9B0A2EDF9:2000-10-22:2000-10-23:64::
sig:::17:652036D1A9CF22EF:2000-10-22::::carol:18:
gpg: NOTE: signature key expired Mon Oct 23 19:03:47 2000 CEST
pub:q:1024:17:EF0BFB5FADE1F924:2000-10-22:2000-11-21:70:-:donna:
sig:::17:EF0BFB5FADE1F924:2000-10-22::::donna:13:
sig:::17:652036D1A9CF22EF:2000-10-22::::carol:10:
sub:q:1024:16:B38BE8E5E2151A96:2000-10-22:2000-11-21:70::
sig:::17:EF0BFB5FADE1F924:2000-10-22::::donna:18:
gpg: NOTE: signature key expired Mon Oct 23 19:03:47 2000 CEST
pub:q:1024:17:79E5918493B222B9:2000-10-23:2000-11-22:76:-:carol:
sig:::17:79E5918493B222B9:2000-10-23::::carol:13:
sig:::17:652036D1A9CF22EF:2000-10-23::::carol:10:
sub:q:1024:16:D122765CB048DF95:2000-10-23:2000-11-22:76::
sig:::17:79E5918493B222B9:2000-10-23::::carol:18:
Please enlighten me
TIA
--
Stefan H. Holek, stefan@epy.co.at
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org