encrypting to expired certificates

Hauke Laging mailinglisten at hauke-laging.de
Tue Sep 16 00:59:55 CEST 2014

Am Mo 15.09.2014, 15:02:14 schrieb Doug Barton:

> I set an expiration date on my key because
> I felt there was a legitimate concern that myself, my key, or both
> were going to come under the control of a hostile entity.

a) What period do you choose for that? A day, a week, a month, a year?

b) What prevents this hostile entity from extending the validity period?

> Now that
> worst case scenario has actually occurred, and it is no longer safe
> for anyone to send me encrypted communications using that key. But
> HALLELUJAH!, I'm safe because the software honors the spec and will
> not allow Hauke to encrypt to my key because it is expired.

You are under the control of a hostile entity but you are safe? Lucky 

What would happen in real life?

Someone in such a situation (personal safety at risk) would establish a 
policy for key usage with those contacts who send information to him of 
which the disclosure might cause severe problems.

In other words: Even if GnuPG allowed them to use expired keys (if 
expiration was considered a security means under this policy) they would 
not consider using them.

Und the other hand: Everyone who relies on expiration disabling being 
enforced (and seriously: Who does? Who even knew before this thread what 
the exact behaviour of GnuPG is? Not even I did. And I a quite sure that 
information which not even I have about GnuPG cannot be the base for an 
expectation motivated rule.) is dangerously stupid.

> The point I'm
> trying to make is simply that we don't know what we don't know.

That does not seem like an argument to me for telling the user what is 
best for him.

Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140916/11dab82d/attachment.sig>

More information about the Gnupg-users mailing list