[Top] [All Lists]

Expiration semantics (Re: draft-ietf-openpgp-rfc2440bis-06.txt)

2002-09-23 12:52:17

Hash: SHA1

Subject: Expiration semantics (Re: draft-ietf-openpgp-rfc2440bis-06.txt)

From: "Derek Atkins" <derek(_at_)ihtfp(_dot_)com>
A bad guy gets a copy of my private key..  If there is a key
expiration then they cannot keep it alive indefinitely.  Or is key
compromise not an attack you care about? ;)


If you allow self-signatures to be rewritten with different
expiration times, then no, key COMPROMISE is NOT an attack
that the expiration time can ever mitigate.  Revocation
is the only option.

Now, it WOULD HAVE been reasonable to outright disallow multiple
self-signatures with different expiration times.  Then, the presence
of multiple expiration times could be taken as a clear sign of
compromise.  I would favor this approach, but others clearly do not,
and the spec has clearly allowed rewriting expiration times.

The usage pattern Jon Callas described does help deal with LOST keys,
though, preventing them from being used by legitimate clients.  In
the unlikely event that Jon loses his key, the flood of mail encrypted
to it will end at his most recently chosen expiration time :-).

This applies primarily to encryption.  I suppose it might also prevent
some fool from signing Jon's key (without asking him) after he has
lost it, but I feel no need to protect such fools.  So, I must admit
that I don't understand why Jon wants this to apply to main keys;
couldn't he update the expiration time in the binding signature for
his encryption keys?  If he has a "dead-man's switch" on all of his
subkeys, what more does he get from having the main key expire?

I would ask that the spec include some language to the sections on
expiration times to remind the reader that they can be rewritten, and
that clients should abide by them but not depend on them to limit
compromise.  (The right to rewrite appears elsewhere, but its
consequences may not immediately occur to someone looking at the
expiration time description.)

[As for the Bodo Moeller's original question, I mostly side with Jon.
Certifications are statements about the ownership of a key, not its
lifetime; it should be legal to make a certification that will outlast
the key's (CURRENT) expiration time.  That said, I wouldn't
strenuously object to mentioning that clients might WANT to consider
the key expiration time when making a new certification.]

Version: PGP Personal Privacy 6.5.3