Key expiration question

Peter Lebbing peter at digitalbrains.com
Fri Jun 16 11:17:34 CEST 2017


On 16/06/17 08:17, listo factor via Gnupg-users wrote:
>> An expired key will definitely not be able to issue valid 
>> signatures after the expiration date.
> 
> There is nothing ~in the key itself~ that prevents any key from
> being used to create signatures

There is nothing ~in the key itself~ that makes a signature /valid/ or
not. It's either correct or incorrect, but I distinctly said /valid/.
The OpenPGP-compatible software that checks the signature is what
decides whether the signature is valid or not, and a signature carrying
a timestamp later than the expiry date of the key will not be considered
valid.

> some arbitrary external information (computer system date)

I was talking about timestamps included in the key (expiry date) and
signature (signature creation time), not about the system time of the
system doing verification. On the other hand, stuff appearing to be from
the future is usually rejected outright, so the system time is somewhat
involved.

> The key expiration date should therefore be considered a only
> ~suggestion~, and not a ~limitation~ for creating or not creating
> signatures.

It's true it's not a limitation on creating signatures. But the
interesting bit isn't the creation of signatures. It's verifying the
validity of signatures, which is very much /limited/ by other factors
than just the raw key material, not merely suggested.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170616/ac6e738f/attachment.sig>


More information about the Gnupg-users mailing list