signatures by a key that has since expired

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Sat Jul 19 17:31:02 2003


--Boundary-02=_ESWG/JrDWItwQoH
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Saturday 19 July 2003 00:41, Neil Williams wrote:
> 1. How should I handle signatures on my key where the signing key has sin=
ce
> expired? (The key was valid at the time that the keyholder signed my key.)

Yo!

Well, the OpenPGP 'trust model' really doesn't exist and leaves everything=
=20
open to the interpretation of the users. This is not necessarily good, but=
=20
also it doesn't force you to think what some authors of the standard though=
t.

My reasoning:

A key signature confirms an ID check at some point in time. This check has=
=20
been performed, regardless of the expiry of the key that made the signature=
=2E=20
So I guess such signatures should be perfectly valid.

An expiry date on a key signature is probably related to the fact that the =
key=20
signature is not really attached to the key holder, but only to his email=20
address. So there needs to be trust that the key holder will be reachable a=
t=20
that email address. (OTOH, if you can trust the key holder to keep his secr=
et=20
key secret, all that can happen is a few encrypted messages sent to the wro=
ng=20
address, which isn't really that bad in most cases).

This is totally different from a revoked signature, where the signer makes =
a=20
statement that he doesn't trust the key anymore (either because it was=20
compromised, or because the signer suddenly thinks that the key holder has =
a=20
faked ID).

To overcome the lack of a defined trust model, I always use a policy url if=
 I=20
make a signature (key or email) - so you'll always be able to look up exact=
ly=20
what I meant by making this signature.

> 5. Are signatures made by a key that has since expired removed from the w=
eb
> of trust calculations?

Can't answer you this.

cheers
=2D- vbi

=2D-=20
random link of the day: http://fortytwo.ch/sienapei/ileikood

--Boundary-02=_ESWG/JrDWItwQoH
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iKcEABECAGcFAj8ZZIRgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJEIukMYvlp/fWGgoAoOGhAYITnUuAPtdDOVp4Eg8f
/2LwAJsGGBgpU2uE0faexu/sIXNSzpDyDg==
=N1mm
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.5&md5sum=5dff868d11843276071b25eb7006da3e

--Boundary-02=_ESWG/JrDWItwQoH--