Expired Keys

Neil Williams linux at codehelp.co.uk
Mon Sep 5 01:40:55 CEST 2005

On Sunday 04 September 2005 11:31 pm, Cameron Metzke wrote:
> Basically what im trying to do is build a php frontend to gnupg which
> can act like a keyserver.

But then keyservers don't delete keys - expired or not.

Think about it, when I use a keyserver, I still want to be able to retrieve an 
expired key - so that I can KNOW it's expired!

It's even more important with revoked - simply saying the key isn't listed 
does NOT protect me from an attacker using a compromised (and revoked) key!

There are established protocols and packages for running keyservers - expired 
and revoked keys should be retained.

If you really just mean, as I've done, that you want a PHP/Perl web interface 
to a small group of users' keys then use gnupg and don't set any keys to 
ultimate trust - then there is never any trust to check. Put some other 
authentication in the web site and you could consider using a trust always 
model that allows you to encrypt to any key in the local keyring. Use gnupg 
on the box and something like GnuPG::Interface in Perl to handle the key 
selection and updates and take your updates from *public* keyservers that can 
be relied upon to give you complete and up to date information.


Neil Williams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050905/b3f3dd78/attachment.pgp

More information about the Gnupg-users mailing list