On Wed, 2015-10-21 at 14:29 +0300, Petko Manolov wrote: > On 15-10-21 07:22:58, Mimi Zohar wrote: > > On Wed, 2015-10-21 at 11:50 +0100, David Howells wrote: > > > Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
> > Adding the semantics at the keyring level would be better than at the > > individual key level. This new flag would prevent keys on the blacklist > > from > > being removed. I like this solution. > > Err, what if the key's end-of-life is reached? Revoked or not, it should go. > > This is more of a question rather than a statement. Keys that have not expired should not be removed from the blacklist. Otherwise nothing prevents those keys from being re-loaded and used on a trusted keyring. Expired keys would be flagged normally. Any searches would result in -EKEYEXPIRED. I guess there's no harm in removing expired keys from the blacklist. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html