Password reset

David Shaw
Tue Aug 21 14:41:02 2001

On Tue, Aug 21, 2001 at 05:41:10AM +0000, Subba Rao wrote:

> On 0, Florian Weimer <> wrote:
> > Subba Rao <> writes:
> >
> > > My key was set to expire at the end of September. Will the public on the
> > > key servers become completely obsolete to sign or encrypt anything?
> >
> > No, it doesn't. Some implementors choose to ignore expiration during
> > some operations, which makes expiration rather meaningless.
> >
> What about the revoked key? I have revoked my old key and send it to
> the keyservers. Can a revoked key be used to sign a document or
> email? If you can, then isn't that something that could be used to
> mislead a user about the authenticity of the document or email?
Revocation and expiration are a very good and useful feature - but they don't (and shouldn't) prevent people from using the revoked or expired key. OpenPGP puts the onus of deciding whether to use or trust a key on the local user's side. This is good, as it puts the control where it belongs, but it also means that revocations and expirations are really just advisory (i.e. "please don't use this key anymore", and "please don't use this key after such-and-such date."). David -- David Shaw | | WWW +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson