Question regarding unknown certificates

Ingo Klöcker kloecker at
Tue Jan 3 21:49:21 CET 2012

On Tuesday 03 January 2012, Jerome Baum wrote:
> On 2012-01-03 10:59, Werner Koch wrote:
> > I will keep them in the file because these certificates are useful
> > in the "chain" validation model.  Usually we use the "shell" model
> > where expiration dates have an obvious meaning.  For German
> > qualified signatures the "chain" model is required.  Basically, it
> > compares the expiration date to the date given in the signatures.
> I lack the experience to understand how the chain model makes any
> sense at all. Would anyone care to elaborate?
> In my understanding, a signing key can be set to expire to help
> prevent unauthorized use. AFAIK there is no other use in expiring a
> signing key. The situation is different with an encryption key but
> let's focus on signing keys because that's what CA keys are. So we
> need only worry about abuse.
> Now say I'm a CA and my key is set to expire in 4 weeks. I now make a
> certification on another key that is set to expire in a year.

What expires a year from now? Your signature on the other key or the 
other key itself? I guess you meant the other key. (If you sign a key 
with a key with expiration date with GnuPG then you will be asked 
whether the signature shall expire at the same date as your key.)

> Now
> look 5 weeks into the future, my key is stolen. At this point, in
> the shell model, the key is useless to an attacker -- the point in
> expiring my key in the first place.

If your key is stolen, but not compromised, i.e. the attacker has not 
cracked your password, then the key is useless to the attacker 
regardless of any expiration. OTOH, if your key is compromised then the 
attacker will simply set a new expiration date.

The only protection against abuse of a stolen (and potentially 
compromised) key is the revokation of the key.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20120103/23809bc4/attachment-0001.pgp>

More information about the Gnupg-users mailing list