encrypting to expired certificates

David Shaw dshaw at jabberwocky.com
Mon Sep 15 22:16:07 CEST 2014


On Sep 15, 2014, at 3:06 PM, Hauke Laging <mailinglisten at hauke-laging.de> wrote:

> Am Mo 15.09.2014, 09:47:21 schrieb David Shaw:
> 
>> I disagree with this.  Expiration is the way the key owner (the person
>> who knows best whether the key should be used or not) tells the
>> world, "Do not use this key after this date".
> 
> Where do you take that from? Neither the RfC uses this description nor 
> GnuPG nor any GUI I know. It is OK (not meaning: being safe from getting 
> criticized by the key owner for sending clear text instead) if you treat 
> the expiration date this way. But it is absolutely not OK to enforce 
> this really not obvious interpretation on others.

I suspect that the word "expired" was expected to be clear on its own in the RFC.  If there was some non-common meaning of expired, the term would have been explicitly defined.  RFCs don't seek to confuse things.  5.2.3.6 defines it as "the validity period of the key".  In other words, after that specified time has elapsed, the key is not valid.

Are you arguing that in other places we allow people to use non-valid keys, so why not here as well?  I don't agree with that, but I do understand it.  ("valid" being a fairly weakly defined term without, yes, policy).

In any event, the choice being presented here between "use an expired key" vs "send in plain text" strikes me as misleading.  There is a third case, which is "Stop.  Something is wrong.  Figure it out before proceeding."

David




More information about the Gnupg-users mailing list