encrypting to expired certificates

David Shaw dshaw at jabberwocky.com
Mon Sep 15 15:47:21 CEST 2014

On Sep 14, 2014, at 9:05 PM, Hauke Laging <mailinglisten at hauke-laging.de> wrote:

> Hello,
> after filing a bug report for my mail client because it does not allow 
> me to encrypt to an expired certificate (neither does Enigmail) I was 
> surprised to notice that I didn't manage to encrypt to an expired 
> certificate with gpg in the console (2.0.22).
> Is this not possible (what about gpgme?) or am I just not aware of how 
> to get that done?
> I would consider not being able to encrypt to an expired key a severe 
> security flaw because it may force the sender to send the message 
> unencrypted. It is OK to warn the user but it must be possible to 
> override this warning. Expiration is not a security problem (let alone a 
> severe one).

I disagree with this.  Expiration is the way the key owner (the person who knows best whether the key should be used or not) tells the world, "Do not use this key after this date".  If someone encrypts to the key anyway, they are going against the key owner's statement.

I'm sure people can come up with particular scenarios where it is either okay or very not okay to use a key after it is expired, but either way, the key owner gave a date.  Who are we to disregard that?


More information about the Gnupg-users mailing list