Extending the key expiration date
David Shaw
dshaw@jabberwocky.com
Wed Sep 5 14:31:01 2001
On Wed, Sep 05, 2001 at 08:39:35AM +0200, Florian Weimer wrote:
> Subba Rao <subba9@home.com> writes:
>
> > Is it possible to edit the expiration date of the current key?
>
> Yes, it's even possible without invalidating certificates. This is a
> known design flaw in OpenPGP.
I wouldn't call it a flaw. I'd call that a feature :) Having to
revoke the self-signature and put a new one in place will lead to huge
trails of self-signatures followed by certificate revocations followed
by more self-signatures every time the user changed their preferences.
2440 says that implementations should rewrite (i.e. replace) the
self-signature when the key expiration date changes. Both PGP and
GnuPG do that. The problem is when you then send that key to someone
else (or a keyserver) who had the key already with the old
self-signature, and you suddenly find you have two self-signatures.
In any event, the standard allows for multiple self-signatures. It
doesn't give too much help in how to work out conflicts though...
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson