On Mon, Feb 02, 2004 at 09:23:57PM -0500, Hasnain Mujtaba wrote:
What is the need for having two expiration signature subpackets: Key
expiration time and Signature expiration time. Which of these do we
read if we want to know the date when the subkey expires? If the
signature on the subkey has expired then the key is useless and the
value of the the Key expiration time subpacket should not matter and
vice versa, i.e, if the the key expiration time is reached before
the signature expiration time then the key has expired.
The subpacket "language" is rich and allows you to express things that
don't necessarily make sense in all contexts. In the case of subkeys,
if you have a self-signature that expires, it is as if the subkey has
no self-signature, and is thus an invalid subkey. If you have a
self-signature that has a key expiration subpacket, and the specified
time has elapsed, then the subkey is expired.
So, whichever of the two validity dates arrives first, can't we
expire the key based on that?
For most purposes, yes. Though an invalid subkey (expired
self-signature) and an expired subkey (valid self-signature with a key
expiration subpacket) are not the same thing, either one results in a
subkey that should not be used. Nevertheless, if you are generating a
subkey that expires, use the key expiration subpacket. That's what it
is there for.
David