ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] rfc3880bis - hard expiration time

2015-04-28 09:04:53
from [Derek Atkins] [Permanent Link] 
Jon Callas <jon(_at_)callas(_dot_)org> writes:


I read your explanation. I understand it. I just disagree.

I think that hard-expiration is not only a bad idea, but unenforceable.


It was enforceable with V3 keys.  It is, as Christoph pointed out, no
longer enforceable with V4 keys because it was moved out of the Public
Key Packet and into the SelfSig.  :-(


I'm well aware of this, Derek. I'm saying that hard expiration is in
my opinion not only impossible even with V3 keys (just rewrite
everything), but a bad idea.


Rewriting means that all the signatures on your key become invalid.
It's effectively a completely "new" key/certificate.  Sure, there is
nothing to prevent a user (or an attacker) from doing that (reusing key
material), but then they would have to go out and social engineer
certificate signatures in order to gain trust for the "new" key.


It's a *good* thing for Alice to be able to update the expiration time
on her key. It encourages putting a limit on (as opposed to no limit)
if it can be changed later. It also allows advanced systems to be able
to do some really cool things with short lived keys.


This is a reason for SelfSigs to expire.  However if the key itself is
stolen/compromised the attacker could then create an updated SelfSig
with an updated expiration.

If the key itself had an expiration (as it did in v3) then this attack
wouldn't work.  But then it also means Alice would *have* to generate a
new key after the old key expired.  (Or, worst case, Alice would have to
regenerate a new Certificate using the same key parameters and then
obtain all those signatures again).


Yeah, and I'm saying that think the current behavior is a good thing,
all in all. Gentlepersons can disagree on this, I'm just giving my
opinion.


Of course.  And in many use cases that's probably sufficient.  I see use
cases where it is not sufficient so I'd like to re-gain that feature.


      Jon


-derek
-- 
       Derek Atkins                 617-623-3745
       derek(_at_)ihtfp(_dot_)com             www.ihtfp.com
       Computer and Internet Security Consultant

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] rfc3880bis - hard expiration time, Derek Atkins
Next by Date:  Re: [openpgp] Fingerprint, Base32 or Base32C?, Derek Atkins
Previous by Thread:  Re: [openpgp] rfc3880bis - hard expiration time, Christoph Anton Mitterer
Next by Thread:  Re: [openpgp] rfc3880bis - hard expiration time, Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]