Extending the key expiration date

David Shaw dshaw@jabberwocky.com
Wed Sep 5 14:31:01 2001

On Wed, Sep 05, 2001 at 08:39:35AM +0200, Florian Weimer wrote:

> Subba Rao <subba9@home.com> writes:
> > Is it possible to edit the expiration date of the current key?
> Yes, it's even possible without invalidating certificates. This is a
> known design flaw in OpenPGP.
I wouldn't call it a flaw. I'd call that a feature :) Having to revoke the self-signature and put a new one in place will lead to huge trails of self-signatures followed by certificate revocations followed by more self-signatures every time the user changed their preferences. 2440 says that implementations should rewrite (i.e. replace) the self-signature when the key expiration date changes. Both PGP and GnuPG do that. The problem is when you then send that key to someone else (or a keyserver) who had the key already with the old self-signature, and you suddenly find you have two self-signatures. In any event, the standard allows for multiple self-signatures. It doesn't give too much help in how to work out conflicts though... David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson