On Mon, Sep 23, 2002 at 12:48:16PM -0500, Richie Laager wrote:
Yes he can -- this is exactly the problem  that I want to solve
with my suggested change to the specification. The way Jon wants
to use key expiration, the bad guy can keep the key alive
indefinitely. I call this a protocol failure, he calls it a
I've been following this thread somewhat, and I have the following
Did you read my original message from the mailing list archives?
There is a simple workaround for the protocol failure, which does
not have the problems of your proposal: whenever someone certifies
someone else's key, then if this key has an expiration time set, the
certification signature should get an expiration time too such that
the signature's validity period extends no longer into the future than
the key's validity period.
(Obviously if Alice specifically asks Bob to certify her key for a
longer period, he can do so, but we need a default for the typical
case that there is no out-of-band information on this.)
Of course the one problem we cannot avoid is that the legitimate owner
of the key cannot keep the key alive indefinitely. This is because
this "problem" is exactly the security feature that me and Florian
Weimer and Derek Atkins want to have: we don't want the bad guy to be
able to unexpire the key if he gets hold of the secret key.
Bodo Möller <moeller(_at_)cdc(_dot_)informatik(_dot_)tu-darmstadt(_dot_)de>
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036