Checking expiration dates

Adrian 'Dagurashibanipal' von Bidder avbidder at
Mon Apr 19 09:48:37 CEST 2004

On Friday 16 April 2004 19.14, Hasnain Mujtaba wrote:
> Hi,
> If I understood it correctly, V4 OpenPGP Master keys never expire and
> are only used for signing.

Sorry, you did not undestand entirely correctly.

You *may* use v4 OpenPGP keys in that way, but you don't have to. By 
default, gnupg creates a primary key (what you call master key) which 
is used for signing (keys and data both) and a subkey for encryption. 
The change wrt expiry is that v4 does not have an expiration date in 
the key, but only in the self signature. So a key expires when all 
userids have expired. By renewing the self-signatures on the userids 
you can change the expiration date of the userid (and, hence, the key) 
- IIRC all implementations should only look at the newest 
self-signature of the userid under consideration when verifying a key.

> So, if the subkey expires, does that 
> render the master key useless as well? Or can the user continue to
> use the master key for signing and verifying?

The primary key is completely independent from its subkeys. You can add 
subkeys to a primary, and you can have subkeys expire, and you can 
revoke subkeys, all this doesn't affect the primary key.

Validity of the primary is determined by the validity of the userids - 
as long as there is a valid userid, the key can be considered valid. 
You could even have a window of time where the key was not valid at 
all, but it would become valid again when a valid selfsignature is 
added to a userid, or a valid userid is added to the key.

I'm not entirely certain of all facts, for details you'll have to figure 
out exactly which self-signatures are interpreted by the various 
OpenPGP implementations on key verification.

-- vbi

Today is Prickle-Prickle, the 36th day of Discord in the YOLD 3170
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 331 bytes
Desc: signature
Url : /pipermail/attachments/20040419/efbca9d6/attachment.bin

More information about the Gnupg-users mailing list