encrypting to expired certificates

Hauke Laging mailinglisten at hauke-laging.de
Tue Sep 16 01:33:23 CEST 2014


Am Mo 15.09.2014, 15:56:04 schrieb Robert J. Hansen:

> There's a half-finished liter of milk in my fridge that's now a week
> past its expiration date.  (Yes, yes, I'm going to throw it out once I
> get home...)
> 
> If you want, feel free to come by.  I'll pour you a glass of milk.
> After all, an expiration date doesn't mean "don't use this," right?
> It's only a number that's to be interpreted according to however
> someone wants.

It is quite similar to the certificate case. It is (if exceeded) a 
warning to the user: "Think well before you use it. Don't blame me if 
you do." And not "I will be really upset if you use it!".

For the milk we get here I guess most people would not consider it a 
problem if it has exceeded its expiration date by one or two days. For 
other food even weeks or months may not seem dangerous. But you can 
still access the milk without having to break additional locks.

The big difference between food and keys is that you know that food 
becomes bad. You do not exactly know when. The milk producer cannot make 
the milk in your fridge good milk by printing a later date on it. For 
keys this is common.

On the other hand I would handle certificates differently if one has 
expired two weeks ago and the other one two years ago. I would handle 
them differently if it was the first contact for one and I had regularly 
(and recently) used the other.


> It is not GnuPG's job to set policy

That's what I am asking for.


> if you really need the ability to
> encrypt to expired certificates, go right ahead and do it.

It seems that I would have to patch the code for that. Beside the fact 
that this would indeed affect security I do not want a solution for me 
only but an improvement for the OpenPGP environment.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140916/5a72ea8f/attachment.sig>


More information about the Gnupg-users mailing list