Question regarding unknown certificates

Jerome Baum jerome at
Tue Jan 3 22:41:25 CET 2012

On 2012-01-03 21:49, Ingo Klöcker wrote:
> On Tuesday 03 January 2012, Jerome Baum wrote:
>> Now say I'm a CA and my key is set to expire in 4 weeks. I now make a
>> certification on another key that is set to expire in a year.
> What expires a year from now? Your signature on the other key or the 
> other key itself? I guess you meant the other key. (If you sign a key 
> with a key with expiration date with GnuPG then you will be asked 
> whether the signature shall expire at the same date as your key.)

I see the ambiguity in my sentence. In the context of German qualified
signatures, it's the other key. That's also what I meant.

>> Now
>> look 5 weeks into the future, my key is stolen. At this point, in
>> the shell model, the key is useless to an attacker -- the point in
>> expiring my key in the first place.
> If your key is stolen, but not compromised, i.e. the attacker has not 
> cracked your password, then the key is useless to the attacker 
> regardless of any expiration. OTOH, if your key is compromised then the 
> attacker will simply set a new expiration date.

I meant that the attacker got at the raw key material somehow.

The attacker can't always set a new expiration date. Consider that the
CA key may be confirmed by some master CA which sets the expiration date.

So this question wasn't specific to OpenPGP. (I know this list is called
"gnupg-users" but so far my experience has been that the list is very
friendly for off-topic talk/questions to a reasonable extent.)

> The only protection against abuse of a stolen (and potentially 
> compromised) key is the revokation of the key.

There's an example in my email of how an expiration date can be useful:

> But in the chain model, the attacker can just
> back-date any certification.
> To protect against this in the chain model, we need qualified
> timestamps. To protect against this in the shell model, we only need
> common sense -- I'm pretty sure nobody here emailed a reply to this very
> message a few weeks ago. Time only moves forward.

So the shell model certainly offers protection against certain types of
abuse that the chain model doesn't offer protection against.

Digging deeper into this it appears the hybrid model is an excellent
compromise, with better security than the chain model but still with
long-term non-repudiation.

(I misunderstood the shell model to be the hybrid model. I was surprised
to find out that the shell model expires data signatures as soon as any
certificate in the chain expires.)

Out of those three options, the chain model is the only one in which
this scenario is a problem:

1. CA key has expired.

2. Certifications may be back-dated.

3. (Data) signatures may not be (e.g. follow-up to this thread can't be
three weeks ago).

4. Attacker has access to secret key material (after expiration).

So what is a good reason to use the chain model as opposed to the hybrid
model? I see that you can want data signatures to last beyond the CA
key, but why would you want that for a certification? (And don't tell me
"because SigG says so". :) )

(I'm not at all trying to conclude the chain model is useless. Like I
said I haven't dug deep enough into this material to fully understand
the implications. That's what I'm trying to do and was hoping someone
could share their wisdom. :) People are nicer to interact with than
books and PDFs. )

PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
No situation is so dire that panic cannot make it worse.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 878 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120103/ff363d1f/attachment.pgp>

More information about the Gnupg-users mailing list