ietf-openpgp
[Top] [All Lists]

Re: [openpgp] rfc3880bis - hard expiration time

2015-04-24 12:38:47
Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> writes:

On Thu, Apr 23, 2015 at 11:48 AM, Derek Atkins <derek(_at_)ihtfp(_dot_)com> 
wrote:
Christoph Anton Mitterer <calestyo(_at_)scientia(_dot_)net> writes:

On Mon, 2015-04-20 at 23:50 -0700, Jon Callas wrote:
Personally, I think that the present way things are done is
syntactically fine. Semantically, there are many bogosities. You can
time-limit your signature on a key, but no one ever does.
As I've explained before, I don't think that this is the same as
hardcoding it into the key, as it wouldn't change the fingerprint, would
it?!

No, it would not, which is IMHO the right thing.

I.e., IMNSHO I feel you should expire your key by expiring your
self-signature on the key.  If you want to extend your key then you
re-sign it with a new self-signature.

You are not expiring a key. That is impossible in any PKI and almost
certainly undesirable.

Well, it depends.  In OpenPGP you *can* expire the key (by setting the
Key Expiration in the Public Key Packet by setting it to a non-zero
value).  My argument is that that setting should be immutable.  I.e., if
you change the value in the key packet, it's IMHO effectively a new key,
with a new fingerprint, and would require new signatures.

Whether or not it's desireable is an open question (and one I don't
think you or I can make for the users).

What you are doing is expiring an assertion binding between the key to
a set of attributes. Similarly you are not revoking a key, you are
making an irrevocable and permanent assertion that the key is not
valid.

Being precise about these things is going to be important if we are
going to actually clean up OpenPGP and not add more confusion.

I agree it's important to be precise.  And yes, the proposal I made
earlier to use the self-sig is indeed expiring the assertion binding the
key to a UserID.  I.e., the signature itself has an expiry (which is
independent of the expiry field in the Public Key Packet).  When the
signature expires then the assertion expires.  But of course you can
refresh the signature; it doesn't change the key.

Of course, as pointed out, you're only as strong as your weakest
algorithm, so there is a risk of someone being able to create a false
signature using a (supported) broken hash algorithm.  I consider this a
LOW risk, but it is still a risk.

It is quite possible to set a key fingerprint for expiry however. We
simply take a fingerprint of an assertion that includes an expiry
time.

This is... different.  OpenPGP allows you to specify a fingerprint as a
dedicated revoker.  I.e., I assert (via a self-sig IIRC) that the key
with fingerprint X is allowed to revoke this key.  I'm not sure that you
would use your own fingerprint for anything like this.

-derek

-- 
       Derek Atkins                 617-623-3745
       derek(_at_)ihtfp(_dot_)com             www.ihtfp.com
       Computer and Internet Security Consultant

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>