importing keys with expired signatures into gnupg
Geraint Paul Bevan
g.bevan@eng.gla.ac.uk
Thu Jul 31 22:26:02 2003
vedaal@hush.com wrote:
> recently there was a description about about v3 key with an expired
signature,
> causing a problem with its importation into gnupg
>
> [1] is this only for v3 keys, or all key types ?
>
> [2] can this be maliciously exploited by signing a key with a signature
> set to expire for the next day, uploading the key, and then causing
difficulty
> for anyone trying to import it?
If you are referring to the problems that I have been having recently, I
have just today been sent another copy of the key (v3) from my
correspondent's corporate key server; this one didn't have the dodgy v4
expired signature and it appeared to import flawlessly.
(I'd just like to take this opportunity to thank you all for the
assistance I have been given, particularly Werner Koch)
This dud signature certainly caused me a lot of problems, but it was a
signature by the owner of the key, rather than just that of a random
stranger. I don't know if that would make any difference. It might not
be a bad idea to have an "--ignore-expire" option for gnupg however
(although having looked closely at the code, I don't think that I am up
to the task of contributing to it at the moment, sorry)
By the way, I am still having problems with my communications; although
I can encrypt messages, this particular recipient can't decrypt the
messages (certainly secure!). I wonder if it may be the options that I
am using (algorithm, compression, ascii, etc.) that are causing the
problem. I know that tools from iT_SEC and MS Outlook are being used at
the other end. Does anyone have any experience of using GnuPG to
communicate with the iT_SEC stuff? Any hints would be greatly appreciated.
--
Geraint Bevan
Department of Mechanical Engineering
University of Glasgow
Tel: +44 (0)141 330 5917