On 15-10-21 07:52:20, Mimi Zohar wrote: > On Wed, 2015-10-21 at 14:29 +0300, Petko Manolov wrote: > > On 15-10-21 07:22:58, Mimi Zohar wrote: > > > On Wed, 2015-10-21 at 11:50 +0100, David Howells wrote: > > > > Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > > > > Adding the semantics at the keyring level would be better than at the > > > individual key level. This new flag would prevent keys on the blacklist > > > from > > > being removed. I like this solution. > > > > Err, what if the key's end-of-life is reached? Revoked or not, it should > > go. > > This is more of a question rather than a statement. > > Keys that have not expired should not be removed from the blacklist. > Otherwise > nothing prevents those keys from being re-loaded and used on a trusted > keyring. Expired keys would be flagged normally. Any searches would result > in > -EKEYEXPIRED.
I guess the above summarizes the issue nicely. Now let's do it. :) > I guess there's no harm in removing expired keys from the blacklist. I say this would be the correct behavior. cheers, Petko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html