Robot CA at toehold.com

Kyle Hasselbacher kyle@toehold.com
Thu Dec 5 21:59:02 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Dec 05, 2002 at 03:08:20PM -0500, David Shaw wrote:
>On Thu, Dec 05, 2002 at 11:30:13AM -0600, Kyle Hasselbacher wrote:
>> I wanted to make signatures that expire, but I didn't see an obvious way to
>> do it with GnuPG.  If the key itself expires, it gives you the option of
>> expiring your signature at the same time (and the robot does that), but I
>> didn't see a way to set an arbitrary expiration date for a signature.
>> 
>> I considered having the robot's key expire periodically, but I decided
>> against it.
>
>You know, now that I think about this some more, whether the key or
>the sigs expire, people are going to have to get re-signed
>periodically.  (Let's say 1 year for the sake of argument).  Given
>that, it's not clear which is better:
>
>1) Expire the robot's key every year.
>
>2) Expire each signature the robot makes every year.
>
>3) Both (if you're planning on doing #1, there is no harm expiring the
>   sigs at the same time).  No real benefit either though.
>
>#1 helps with the problem that the robot's key lives on a box
>publically available on the net.  If that box gets cracked, then the
>robot's key can be abused.  This helps put a limit on the amount of
>abuse possible (though you should still keep a revocation certificate
>and revoke the key if necessary).  The drawback is that everyone using
>the system would need to get the new robot key each year.
>
>#2 is good since it simplifies what the end user needs to do -
>specifically, they don't need to fetch a new key each key to verify
>these signatures.
>
>Given that there must be a way to revoke and re-issue a robot's key
>(for example, you've already had to do this once), I'm leaning towards
>#1 or #3 now.  Of course, I pulled the "1 year" time period out of
>thin air.

I prefer #2, myself, maybe #3.  If the robot's key expires, suddenly all
its users want to get resigned on the same day.  I'd rather they get their
new sigs over a longer time period (i.e., the time it took them all to get
them in the first place).  The robot's load continually increases as it
handles old users as well as new, but it won't have a big "flag day" spike
where the one key expired.

If I were doing #3, I'd make the robot's key expire after a longer time.
That is, sigs expire every four months (say), but the main key doesn't
expire for two years.

Perhaps I'll implement the --ask-cert-expire thing below, make a new key
without such a long life, and revoke the old one.

>Incidentally, the option you are looking for to make expiring
>signatures is --ask-cert-expire.

Clearly I should have read more documentation.  Thank you!
- -- 
Kyle Hasselbacher | A good programmer is one who looks both ways
kyle@toehold.com  | before crossing a one-way street.  -- Doug Linder
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9775X10sofiqUxIQRAqjcAKDXCXb5/UFobQ+6wj4QDZQTLMcQZQCgw+kx
uNHV/qMuJPWbpLNHMhHWQvo=
=t2jo
-----END PGP SIGNATURE-----