encrypting to expired certificates

Robert J. Hansen rjh at sixdemonbag.org
Mon Sep 15 19:19:10 CEST 2014

> Respectfully, Hauke, we just disagree on this.  But your last
> comment raises a crucial point that I think has bugged OpenPGP for
> far too long: the software we use for OpenPGP has actually been far
> too liberal about letting people use "not valid" keys.

If by "too liberal" you mean "it's possible to do it," then I don't see
how to avoid it.  You'd need a trusted timestamp on the certificate and
a trusted timestamp on the machine using the certificates, and trusted
timestamps are a hard, *hard* problem.

Yes, OpenPGP is quite permissive about letting people encrypt to expired
certificates, but I think that's more a factor of it being incredibly
hard to prevent it than it is any neglect on the part of the OpenPGP

More information about the Gnupg-users mailing list