encrypting to expired certificates
Hauke Laging
mailinglisten at hauke-laging.de
Tue Sep 16 01:33:23 CEST 2014
Am Mo 15.09.2014, 15:56:04 schrieb Robert J. Hansen:
> There's a half-finished liter of milk in my fridge that's now a week
> past its expiration date. (Yes, yes, I'm going to throw it out once I
> get home...)
>
> If you want, feel free to come by. I'll pour you a glass of milk.
> After all, an expiration date doesn't mean "don't use this," right?
> It's only a number that's to be interpreted according to however
> someone wants.
It is quite similar to the certificate case. It is (if exceeded) a
warning to the user: "Think well before you use it. Don't blame me if
you do." And not "I will be really upset if you use it!".
For the milk we get here I guess most people would not consider it a
problem if it has exceeded its expiration date by one or two days. For
other food even weeks or months may not seem dangerous. But you can
still access the milk without having to break additional locks.
The big difference between food and keys is that you know that food
becomes bad. You do not exactly know when. The milk producer cannot make
the milk in your fridge good milk by printing a later date on it. For
keys this is common.
On the other hand I would handle certificates differently if one has
expired two weeks ago and the other one two years ago. I would handle
them differently if it was the first contact for one and I had regularly
(and recently) used the other.
> It is not GnuPG's job to set policy
That's what I am asking for.
> if you really need the ability to
> encrypt to expired certificates, go right ahead and do it.
It seems that I would have to patch the code for that. Beside the fact
that this would indeed affect security I do not want a solution for me
only but an improvement for the OpenPGP environment.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140916/5a72ea8f/attachment.sig>
More information about the Gnupg-users
mailing list