importing keys with expired signatures into gnupg

[Geraint Paul Bevan]

vedaal@hush.com wrote:
 > recently there was a description about about v3 key with an expired 
signature,
 >  causing a problem with its importation into gnupg
 >
 > [1] is this only for v3 keys, or all key types ?
 >
 > [2] can this be maliciously exploited by signing a key with a signature
 > set to expire for the next day, uploading the key, and then causing 
difficulty
 > for anyone trying to import it?

If you are referring to the problems that I have been having recently, I
have just today been sent another copy of the key (v3) from my
correspondent's corporate key server; this one didn't have the dodgy v4
expired signature and it appeared to import flawlessly.

(I'd just like to take this opportunity to thank you all for the
assistance I have been given, particularly Werner Koch)

This dud signature certainly caused me a lot of problems, but it was a
signature by the owner of the key, rather than just that of a random
stranger. I don't know if that would make any difference. It might not
be a bad idea to have an "--ignore-expire" option for gnupg however
(although having looked closely at the code, I don't think that I am up
to the task of contributing to it at the moment, sorry)


By the way, I am still having problems with my communications; although
I can encrypt messages, this particular recipient can't decrypt the
messages (certainly secure!). I wonder if it may be the options that I
am using (algorithm, compression, ascii, etc.) that are causing the
problem. I know that tools from iT_SEC and MS Outlook are being used at
the other end. Does anyone have any experience of using GnuPG to
communicate with the iT_SEC stuff? Any hints would be greatly appreciated.


-- 
Geraint Bevan
Department of Mechanical Engineering
University of Glasgow
Tel: +44 (0)141 330 5917