On Tue, Sep 24, 2002 at 10:58:38AM +0200, Bodo Moeller wrote:
< By default GnuPG uses the expiration date of the self-signature as the
< one for a key signature. This is on Florian Weimer's request and afaik
< is sufficient for him and his use of the PGP PKI.
I hope Werner meant the *key* expiration date from the self-signature,
not the *signature* expiration date from the self-signature. These
are different packet types. Key expiration dates may be present only
in self-signatures according to the OpenPGP specification, so they
should be translated into signature expiration dates when certifying
keys; see Florians request at
<URL:http://lists.gnupg.org/pipermail/gnupg-devel/2001-July/006196.html>:
It is the key expiration date (i.e. subpacket 9, not subpacket 3). I
want to point out that this is not something that GnuPG forces on the
user. If a key has an expiration date, GnuPG prompts the user "This
key is due to expire on x/x/x. Do you want your signature do expire
at the same time? (Y/n)". If the signing user says "yes" (the
default), then that happens. If the signing user says no, then they
are free to pick any expiration time, or none at all. I think that is
the most appropriate solution here as the signer is still free to do
whatever they like.
In an ideal world (which we are not in), I think that a solution that
would solve all the concerns here is to define a v5 key format. It
could contain an expiration date as part of the key, just like in v3
keys. The expiration date in the key is the "hard" expiration. The
user can shorten, but not extend, this via the "soft" expiration date
given in the self-signature. (Incidentally, this is what GnuPG does
when it encounters v3 keys with v4 self-signatures.) Of course, a new
key format would be brutal for interoperability, so is not a good
solution.
David
--
David Shaw | dshaw(_at_)jabberwocky(_dot_)com | WWW
http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson