encrypting to expired certificates
Robert J. Hansen
rjh at sixdemonbag.org
Mon Sep 15 19:19:10 CEST 2014
> Respectfully, Hauke, we just disagree on this. But your last
> comment raises a crucial point that I think has bugged OpenPGP for
> far too long: the software we use for OpenPGP has actually been far
> too liberal about letting people use "not valid" keys.
If by "too liberal" you mean "it's possible to do it," then I don't see
how to avoid it. You'd need a trusted timestamp on the certificate and
a trusted timestamp on the machine using the certificates, and trusted
timestamps are a hard, *hard* problem.
Yes, OpenPGP is quite permissive about letting people encrypt to expired
certificates, but I think that's more a factor of it being incredibly
hard to prevent it than it is any neglect on the part of the OpenPGP
More information about the Gnupg-users