Retaining expired sigs

David Shaw dshaw at jabberwocky.com
Sun Mar 20 19:37:04 CET 2005


On Sun, Mar 20, 2005 at 12:18:42PM -0500, Jason Harris wrote:
> On Sat, Mar 19, 2005 at 10:35:47PM -0500, David Shaw wrote:
> > On Sat, Mar 19, 2005 at 03:25:32PM -0500, Jason Harris wrote:
>  
> > > The sig. of 1-Jan-2000 is valid and usable.  It can only be ignored when
> > > superceded.
> > 
> > I agree with your general idea here, but not the details, exactly.
> > What GnuPG does in this case is to take the 1-Jan-2000 signature and
> > ignore any that follow.
> 
> As I said, that makes them decidedly non-modifiable instead of simply
> non-revocable.
> 
> > I don't like the idea of a signature that is temporarily superceded.
> > Either it is superceded (and can be removed) or it is not.  It's a bit
> 
> If one doesn't insist that the latest non-revocable, superceded sigs
> are to be removed, I don't see the problem with temporarily superceded
> sigs.

I think we're not communicating again.  There is no visible difference
between these two things.  What's to have a problem with?

Seriously, think about it:

	   non-revocable sig   1-Jan-2000
	   expiring sig        2-Jan-2000 (expires 10-Jan-2000).

Now, say it's January 3rd.  According to what you want, the signature
that gets used is the 2-Jan-2000.  Then, suddenly, on 10-Jan-2000,
when that signature expires, the 1-Jan-2000 signature is used.

  End result: there is always a signature.

According to what actually happens, the signature that is used is
1-Jan-2000.

  End result: there is always a signature.

I suggest that if it bothers you all that much, you pretend that it's
doing what you want.  It's not like there is a way to tell the
difference.

> BTW, what has your testing of other (OpenPGP(?)) encryption programs
> uncovered?

Haven't checked yet.  I don't know that it'll be terribly illuminating
on the subject of non-revocable sigs since so far as I know, GnuPG is
the only one that implements them (except for the usual use in
designated revokers).  It might reveal something interesting about
expiring sigs though.

David



More information about the Gnupg-users mailing list