encrypting to expired certificates

Hauke Laging mailinglisten at hauke-laging.de
Mon Sep 15 03:05:18 CEST 2014


Hello,

after filing a bug report for my mail client because it does not allow 
me to encrypt to an expired certificate (neither does Enigmail) I was 
surprised to notice that I didn't manage to encrypt to an expired 
certificate with gpg in the console (2.0.22).

Is this not possible (what about gpgme?) or am I just not aware of how 
to get that done?

I would consider not being able to encrypt to an expired key a severe 
security flaw because it may force the sender to send the message 
unencrypted. It is OK to warn the user but it must be possible to 
override this warning. Expiration is not a security problem (let alone a 
severe one).

It does not even work with --encrypt-to. And the man page says about 
this command:

"No trust checking is performed for these user ids and even disabled 
keys can be used."

Non-valid keys are OK, disabled keys are OK but the least severe case 
expiration is not OK?


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140915/84ff7147/attachment.sig>


More information about the Gnupg-users mailing list