On Wed, Sep 06, 2000 at 11:50:17AM -0400, Derek Atkins wrote:
> Ray Dillinger <[EMAIL PROTECTED]> writes:
>> I have long felt that PGP missed a trick when it didn't have
>> automatic expiry for keys -- It should be possible to build
>> into each key an expiration date, fixed at the time of its
>> creation. For shorter keys, it ought to default to expiring
>> sooner, and not allow expiry more than a year or two out.
>> For a 2048 bit key, it ought to default to something like 10
>> years and let you pick a term up to a century.
> Actually, PGP has always had a key expiry time, even as long ago as
> PGP 2.0 (maybe even longer). The only problem is that it defaults to
> '0', which means 'no expiry'.
This is not the only problem. The other problem is that, while in the
previous PGP data format key expiry times used to be in the part of
the key that is hashed for key signing, in the latest key format they
are only present in self-signatures. Third-party key certifications
in version 4 signature format do not cover the expiry time, thus the
expiry time is pretty much worthless as a countermeasure against key
compromise -- after all, an attacker who knows the key can easily
issue a new self-signature with an updated validity period.
To prevent this protocol error from doing harm, the software used
for key certification should make sure that whenever a key having
an expiry time is signed, the certifying signature should get
a signature validity period that extends into the future no farther
than justified by the (current) key validity period.
--
Bodo Möller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
