encrypting to expired certificates

Werner Koch wk at gnupg.org
Tue Sep 16 16:29:10 CEST 2014


On Mon, 15 Sep 2014 23:53, dougb at dougbarton.us said:

>> Actually the sematics of an expired (sub)key may come from the 1999 or
>> so idea of adding features to mitigate the effect of the UK RIP act (or
>> whatever it is called now).
>
> Wow, blast from the past. :)  It's not clear to me how you're tying
> those 2 things together though.

Ben Laurie wrote an I-D to add forward secrecy to OpenPGP.  It is
possible that I did some changes to the subkey expiry mechanism as a
first step to implement that (I can't remember and would need to spend
time ready ChangeLogs and mails).  The idea was to have rolling subkey,
a fresh one each month, you keep the subkeys for the last two months
online, and delete older subkeys.  Then if the --show-session-key stuff
won't be accepted by the bobby asking for the key for a certain message,
you could claim that you have only keys for the last two months (or
weeks) and that the software deletes all older stuff.  Never fully
implemented, though.

> Frankly I wish the option had never been added to the spec, but
> (thankfully) I'm not in charge. :)

I like the expiration date because it somehow helps against forgotten
passphrases (although it is questionable, that those who know about
expiration dates will forget passphrases) and lost secret keys.  But it
is indeed an advanced topic.

A feature request could be to remove the expiration time prompt when not
in expert mode.  OTOH, only experts use the command line and yes, the
GUIs may do without the expiration time.  I will consider this for GPA.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list