Best practice for periodic key change?

MFPA expires2011 at
Sat May 7 15:54:21 CEST 2011

Hash: SHA512


On Saturday 7 May 2011 at 1:09:25 PM, in
<mid:BANLkTimpo-Bwz38icRFC-CudrkH968fhZQ at>, Jerome Baum

> Then I would say it is the recipients responsibility to
> only accept "reasonable" signatures.

Fair enough. "Reasonable" is subjective.

> As you say, it is
> only an "attempt" to generate deniability -- nobody
> who's right in their mind would accept a signature on a
> document that is dated before the document itself.

In which case your attempt to generate plausible deniability would
have fooled anybody "who's right in their mind" (because they all
believe the signature timestamp has some meaning besides being the
time/date your system clock happened to be set on when you created the
signature). I'm not sure I buy that.

> Assuming a responsible recipient, the expiration date
> makes sense. Yes, a responsible recipient would refresh
> their keys. Yes, man-in-the-middle. The expiration date
> makes a difference here.

In the edge-case scenario you described previously (where the key only
expired the previous day) I doubt it would make much difference. Even
the weak evidence of the email headers and server logs suggesting your
system clock had been incorrectly set a day behind could be enough to
make your deniability implausible.

> But I
> have no idea of knowing when it was signed, so I have
> to assume it is when it was allegedly signed

That was exactly my point.

> -- and
> yes, this is a problem under certain circumstances.
> However, there is at least one circumstance where the
> expiration date *does* make a difference, which is the
> document dated in the future relative to the signature
> timestamp, from a then-already expired key. So in at
> least one case, the expiration date helps.

A non-digital example of a document signed with a date in the future
is the post-dated cheque, which is supposed to be worthless until the
date written on it. Several people sent me cheques as wedding gifts,
which they dated with our wedding day but we received them during the
couple of weeks before. Most of those were banked the day after we
received them, rather than waiting until we returned from our
honeymoon. A bank clerk tried to refuse the last one I paid in on the
Friday afternoon before our wedding but I persisted and he accepted

The date in the future should have made a difference to those cheques
but did not. (In the case of the last cheque that was queried, it made
no difference because it would be the Monday two days *after* the date
on the cheque that it was presented to the payee's branch for

I suspect that fact of the signature timestamp and the key expiry date
being before the date stated on the document, is something it would be
unwise to rely upon in court. Especially if the other side produced an
"expert" witness who testified about the triviality of altering a
system clock.

> Let's get a concrete idea of such a "document". Say I
> want a statement from you that you legally have access
> to an email account today. Today is 2011-05-07. I have
> your key, with a signing sub-key that expired in 2010.
> I refresh your key but Mallory manipulates the traffic
> and so a revocation certificate wouldn't have helped.
> It's a good thing that your sub-key expired, though,
> because I won't accept the signature from that sub-key
> as I'm looking for an up-to-date statement. In fact,
> I'll probably want: "As of 2011-05-07, I legally have
> access to email at". There is *no way* I would
> accept that when the signature is dated in 2010.

Several months out (because it expired last year) is different to your
previous case of several hours out (because it expired yesterday). I
could put the clock back exactly a year and some recipients may not
spot one digit being different, but they are more likely to notice
that than to notice the day being off (unless it occurs early in the
new year before they have got used to spotting the year without
thinking about it).

> Does that make my point more clear? I wasn't saying
> that under all circumstances the expiration date helps.
> That would be crazy. I was saying that there are
> circumstances where it does,

It helps to raise a question in the mind of the person viewing the
signature (if they spot it).

> and since the cost is so
> low, that there is no point in not having them
> (assuming, of course, that you separate master and
> sub-keys).

You can't assume.

- --
Best regards

MFPA                    mailto:expires2011 at

Life is a holiday. In the same way that glass is a liquid.


More information about the Gnupg-users mailing list