Set date for signature to expire
David Shaw
dshaw at jabberwocky.com
Tue Jun 14 15:14:14 CEST 2005
On Tue, Jun 14, 2005 at 02:58:32PM +0200, Jan Niehusmann wrote:
> On Wed, Jun 08, 2005 at 02:09:59AM +0200, Per Tunedal Casual wrote:
> > True, but it might be convenient anyhow. The shorter the time, the safer
> > the guess!
> >
> > One way is to assume that the key is attacked immediately and that all the
> > security is in the passphrase. Make an estimation of the strength of the
> > passphrase and you are done!
>
> But then, the safe guess would be that the attack did start immediately
> when the key was generated, not when the signature was added. So,
> following your logic, you should never sign a key older than your
> estimated passphrase-guessing-time.
>
> I guess one should leave that decission to the key owner. The signature
> only tells one thing: This key belongs to person XYZ. And nothing about
> key security.
In general I agree. There is one spot in GnuPG where the behavior is
slightly different than this - if you sign a key that has an
expiration date (key expiration), then by default the expiration date
of your signature will be that date. This was added because in v4
OpenPGP keys, there is no notion of a "hard" expiration date. We
currently only have a "soft" expiration date that can be extended.
It's one of those little fiddly details that come up now and then.
> Signature expiration dates are useful when "person XYZ" is not (only) a
> natural person, but some kind of role account (eg. "CEO of Company
> ABC"), where that role is not a permanent one, but may change in future.
>
> Currently, I can't imagine other sensible uses for signature expiration
> (but I'm not claiming there aren't - it's only my limited imagination).
They're also useful for a CA or a CA-like entity, who want to verify
for a artifically short period of time. For example, something like
keyserver.pgp.com, which verifies only for 2 weeks to force users of
your key to refresh frequently. Or take a CA that sells
certifications - they want you to buy another signature after a year
:)
David
More information about the Gnupg-users
mailing list