ietf-openpgp
[Top] [All Lists]

Re: [openpgp] rfc3880bis - hard expiration time

2015-04-24 12:11:33
Christoph Anton Mitterer <calestyo(_at_)scientia(_dot_)net> writes:

On Thu, 2015-04-23 at 11:48 -0400, Derek Atkins wrote: 
No, it would not, which is IMHO the right thing.

I.e., IMNSHO I feel you should expire your key by expiring your
self-signature on the key.  If you want to extend your key then you
re-sign it with a new self-signature.
Well but than it's useless to make the key as a whole expirable.

No, it's not useless.  If you know that when you generate the key you
absolutely never want it to be usable past a certain date, then you put
the expiry into the Public Key packet.  Once that date passes, the key
has expired.  The date should be immutable.

However if you're not sure, or you want to prove user liveness on the
key, you can perform similar functions (note that it's not exactly the
same function) by using expiring self signatures.

And as I outlaid before, this destroys the use case that a user wants to
limit the usability of his key, regardless of whether e.g. old signature
algos would be broken or his key compromised.

It doesn't destroy the use case; you can still use the Key Expiry.  It's
just an IMMUTABLE setting.  If you change it then it should make it a
"new" key, which means a different fingerprint (and invalidating all
signatures).

If that's only in the selfsig *without* invalidating the other
signatures, then an attacker could try a downgrade attack and e.g. forge
the selfsig with weaker algos... or more likely... simply create a new
selfsig when the key was compromised.

Yes, this is a risk of not using the expiry field in the key packet.

If the fingerprint and other users' signatures wouldn't invalidate them,
all the attacker needs to do is block the revocation (if any).

I'm not sure I understand this statement.

Therefore, it should be mandatory that both, the valid from and valid to
times are encoded in such a way, that changing them would render all
other signatures invalid and would change the FP.
(Of course it should be possible to specify and infinite expiration
time).

Yes, that's why the key expiry should be immutable.  Changing it would
invalidate all signatures on the key, as well as changing the key
fingerprint.  I.e., it's a "different key".

However the key expiry should not be mandatory (i.e. it can be 0,
meaning "never expired").  There are use cases where you might not
necessarily want the key to expire, or you might not know when it should
expire.

Cheers,
Chri

-derek
-- 
       Derek Atkins                 617-623-3745
       derek(_at_)ihtfp(_dot_)com             www.ihtfp.com
       Computer and Internet Security Consultant

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>