On 23 Sep 2002, Derek Atkins wrote:
Bodo Moeller <moeller(_at_)cdc(_dot_)informatik(_dot_)tu-darmstadt(_dot_)de>
writes:
Please point out an advantage of *key* expiration over
*self-signature* expiration in that scenario.
A bad guy gets a copy of my private key.. If there is a key
expiration then they cannot keep it alive indefinitely. Or is key
compromise not an attack you care about? ;)
Actually, in Jon's proposal, the bad guy can. If we do things Bodo's way,
he can't.
Bodo wants to make key expirations permanent and unalterable. This means
that even if a bad guy gets the private key, the key expiration cannot be
changed.
With Jon's way, key expirations are not a defense against key compromise,
because they can be extended indefinitely by the holder of the private
key.
The question I see is this: are key expiration dates a "mandate" or a
"suggestion" to third parties by the key owner?
In Mixmaster, we have key expiration dates that are not even tied to the
key by a signature -- they are just denoted in the key header field. The
intention here is to inform the user that the key will be deleted after
the expiration date, and in no way protects against the compromise of the
key. (Deleting the key does that -- the expiration date protects against
unreadable mail by the key holder).
One might argue that expirations in PGP are intended to be interpreted the
same way, and that the user should revoke the key if he is worried about
Bad Guys possessing it. I think this is how it must be interpreted if we
use Jon's system.
--Len.