My key expired, do I need to revoke

David Shaw dshaw@jabberwocky.com
Mon Aug 5 13:34:58 2002


On Sun, Aug 04, 2002 at 12:53:39PM +0200, Florian Weimer wrote:
> David Shaw <dshaw@jabberwocky.com> writes:
> 
> > On Sat, Aug 03, 2002 at 12:11:48PM +0100, Sean Rima wrote:
> >> My GPG key expired during July (I was on holiday then hospital). I am
> >> going to generate a new secret pair but was wondering if I should send
> >> an revoke to the pgp key servers.
> >
> > The OpenPGP standard allows you to extend the expiration date of your
> > key.
> 
> The format allows it, but implementations may enforce strict
> expiration.  Behavior of implementations is mostly outside the scope
> of RFC 2440(bis).

Fair enough, but at least the "big two" of implementations, PGP and
GnuPG, both permit it.  Offhand, I don't know of an implementation
that doesn't allow it.

The expiration situation is somewhat unfortunate in OpenPGP, as a hard
expiration limit (as in v3 keys) can be very useful.  Perhaps someday
there will be "v5" keys that can support both hard (like v3) and soft
(like v4) limits in one.  Incidentally, this is how GnuPG handles v3
keys with v4 self-sigs - the v3 limit is the hard limit, and the key
cannot be used beyond that no matter what.  The v4 limit in the
self-sig can be used to lower, but not raise this limit.  There is of
course no guarantee how other implementations will handle this case.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson