setting expiration dates

Henry Hertz Hobbit hhhobbit at securemecca.net
Thu Jun 7 03:57:44 CEST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Joseph Oreste Bruni wrote:

> This is interesting: After changing my encryption subkey's expiration  
> by a few days (from 2008-02-07 to 2008-01-01), I tried to upload the  
> updated key to the PGP Global Directory (http://keyserver.pgp.com).  
> It complained that my key had expired, but it hasn't. Submitting the  
> key to the SKS key servers (hkp://pool.sks-keyservers.net) didn't  
> have a problem. My key ID is CD5518C7 if you want to look at it.

I think PGP Global Directory is complaining that the pub key
your sub key is attached to is expired. If it is working by allowing
people to encrypt to you, maybe these are those new changes WK said
have been made. Here is the key I got from PGP Global Directory for
your KEYID after I imported it:

pub   2048R/CD5518C7 2005-02-17
uid       Joseph Oreste Bruni <jbruni_FRAT_mac_com>
uid       Joseph Oreste Bruni <brunij_GNAT_earthlink_net>
uid       Joseph Oreste Bruni <joe.bruni_ATBAT_bestwestern_com>
uid       Joseph Oreste Bruni <brunij_NOSPACE_bestwestern_com>
uid       [jpeg image of size 1173]
sub   2048R/EEA4EC97 2007-01-31 [expires: 2008-01-31]

Well, the email addresses were changed by moe, but you get the
idea.  Your pub key IS expired!  Assuming you still have the same
email address you used when you gave them (PGP) the key, you can
just have them remove your key with the following page:

http://keyserver.pgp.com/vkd/GetRemoveKeyScreen.event

PGP Global Directory doesn't work like the other key servers by
giving you the ability to delete your keys (breaks WOT, but ...).
Having just said the foregoing, here is how your key came down
from pgp.mit.edu (HKP):

pub   2048R/CD5518C7 2005-02-17
uid       Joseph Oreste Bruni <jbruni_FRAT_mac_com>
uid       Joseph Oreste Bruni <brunij_GNAT_earthlink_net>
uid       Joseph Oreste Bruni <joe.bruni_ATBAT_bestwestern_com>
uid       Joseph Oreste Bruni <brunij_NOSPACE_bestwestern_com>
uid       [jpeg image of size 1173]

Hmm, where is the sub key? And here is how it comes down from
the Penguin (X-HKP) in Germany:

pub   2048R/CD5518C7 2005-02-17
uid       Joseph Oreste Bruni <jbruni_FRAT_mac_com>
uid       Joseph Oreste Bruni <brunij_GNAT_earthlink_net>
uid       Joseph Oreste Bruni <joe.bruni_ATBAT_bestwestern_com>
uid       Joseph Oreste Bruni <brunij_NOSPACE_bestwestern_com>
uid       [jpeg image of size 1173]
sub   2048R/EEA4EC97 2007-01-31 [expires: 2008-01-01]

Please do the following as a test for me with the key you
have now (a # indicates a comment):

$ gpg --edit-key CD5518C7
Command> expire
# change the expire date of your pub key to match your
# sub key or at least so it is NOT expired
$ gpg --keyserver hkp://pgp.mit.edu --send-keys CD5518C7
$ gpg --keyserver x-hkp://random.sks.keyserver.penguin.de \
  --send-keys CD5518C7

If desired, after you have deleted your key from the PGP
Global Directory, you can also submit it to them again. Let
me know if you do any of this and I will do the tests again.
Next time I will be FAR shorter in my reply (will just show
any changes from what I have here depending on what you have
done).

You will have to ask the others if having a pub key that is
expired on the key servers is a good idea or even if it is
possible - I don't think it is possible but don't know for
sure.  I was able to sign your key but have NO idea what that
means.  What good does it do to sign an expired key?  My
OPINION is to either say goodbye to the pub key and all the
sub-keys, or keep them ALL freshened up on their expire
date so people know that the key is still good. I normally
interpret a pub key that is expired as having an implicit
meaning that it is no longer used and the person has replaced
that key with a newer key.  So if I intend to keep using a key,
I change the expire dates for the pub key and all sub-keys at
least one month before any of them expire for the desired period
I want to keep them - lots of options to consider, like revoking
your present sub-key and adding a new sub-key, when the expire
date for each key is, etc.  Then I upload my pub key to at least
two keyservers again if if was on the keyservers.

No reply from you means you don't want me to do the tests
and didn't make any changes. If you do the changes, let me
know when you have done it with a Bcc: to me.  I only read
the Digest. Sometimes it goes days before I get a new
bundle of messages.  Sometimes I don't seem to get them at
all, but maybe they fell through the cracks.

HHH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGZ2YYr3QZv1upb6wRCjMSAJ9A/qWNgeQofviDpKpEAat0pMZWLwCgst9+
0U8xKtWRX2r/1Ch+FhAjFho=
=9OYY
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list