-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Subject: More on key expiration policy (Re:
draft-ietf-openpgp-rfc2440bis-06.txt)
From: "Len Sassaman" <rabbi(_at_)abditum(_dot_)com>
Actually, in Jon's proposal, the bad guy can. If we do things Bodo's way,
he can't.
Bodo originally suggested that clients abide by expiration times when
creating new certifications. That alone may not prevent a compromised
key from being misused. Yes, it would work for certifications prior
to the compromise, and for new ones where the signer gets the key
*directly* from the owner, but that still doesn't cover all cases.
Consider this scenario...
I steal Bob's key.
I publish it, with an updated expiration time, to an
out-of-the-way keyserver.
Bob's new friend Alice gets his key from this keyserver.
Alice verifies the fingerprint with Bob, and signs his key,
in accordance with Bodo's rules.
Alice sends her new signature to Bob, and/or publishes it
at my keyserver, but I steal it enroute.
I have a signature that will outlast Bob's intended expiration.
The problem is that fingerprints don't include the expiration time.
Now, Bob *could* insist on getting a copy of Alice's signature, and
check for a mismatched expiration time. Together, Bob and Alice could
discover that I've compromised Bob. But this would require more care
in the keysigning process than even some very cautious people apply.
Note that disallowing rewriting won't prevent this attack, as
that also depends on someone noticing a (different) mismatch.
(If I can completely keep people from seeing key updates,
then I can defeat revocations, too, but that's a much broader
attack.)
This may be another fair argument for allowing rewriting. If you
really wanted irrevocable expiration times, you'd want to hash them
into the fingerprint material, but it's way too late for that.
The question I see is this: are key expiration dates a "mandate" or a
"suggestion" to third parties by the key owner?
More precisely, are expiration times rewriteable?
I'm afraid that the answer has to be YES. The specification has
clearly said so for a while now, and at least one implementation
(GnuPG) offers this capability. If we change the rules now,
anyone who has taken advantage of it (or set a short expiration
time with the expectation that they can change it) will be
seriously disappointed.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQA/AwUBPY+MalMkvpTT8vCGEQLVmgCfVDZTWIpnOt2Gu1e31DPtMqaV8ekAn14H
E6TRRSoBFYuIfKzI7oiCwngd
=w8jJ
-----END PGP SIGNATURE-----