Checking expiration dates
Adrian 'Dagurashibanipal' von Bidder
avbidder at fortytwo.ch
Mon Apr 19 09:48:37 CEST 2004
On Friday 16 April 2004 19.14, Hasnain Mujtaba wrote:
> Hi,
>
> If I understood it correctly, V4 OpenPGP Master keys never expire and
> are only used for signing.
Sorry, you did not undestand entirely correctly.
You *may* use v4 OpenPGP keys in that way, but you don't have to. By
default, gnupg creates a primary key (what you call master key) which
is used for signing (keys and data both) and a subkey for encryption.
The change wrt expiry is that v4 does not have an expiration date in
the key, but only in the self signature. So a key expires when all
userids have expired. By renewing the self-signatures on the userids
you can change the expiration date of the userid (and, hence, the key)
- IIRC all implementations should only look at the newest
self-signature of the userid under consideration when verifying a key.
> So, if the subkey expires, does that
> render the master key useless as well? Or can the user continue to
> use the master key for signing and verifying?
The primary key is completely independent from its subkeys. You can add
subkeys to a primary, and you can have subkeys expire, and you can
revoke subkeys, all this doesn't affect the primary key.
Validity of the primary is determined by the validity of the userids -
as long as there is a valid userid, the key can be considered valid.
You could even have a window of time where the key was not valid at
all, but it would become valid again when a valid selfsignature is
added to a userid, or a valid userid is added to the key.
I'm not entirely certain of all facts, for details you'll have to figure
out exactly which self-signatures are interpreted by the various
OpenPGP implementations on key verification.
cheers
-- vbi
--
Today is Prickle-Prickle, the 36th day of Discord in the YOLD 3170
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 331 bytes
Desc: signature
Url : /pipermail/attachments/20040419/efbca9d6/attachment.bin
More information about the Gnupg-users
mailing list