Re: GPG key expiry questions?

2018-03-14 Thread likcoras 
On 03/14/2018 09:14 PM, Daniel Bareiro wrote:
> On 14/03/18 03:26, Ansgar Burchardt wrote:
>> Just run `gpg --refresh-keys` from time to time.
> 
> Thanks for the suggestion. I have updated my keyring:
> 
> GNUPG seems to have found 9 new signatures ('firmas' in spanish)  from
> Richard.
> 
> The output in English would be something like this:
> 
> Total amount processed: 193
> without changes: 196
> new identifiers: 14
> new subkeys: 14
> new signatures: 3201
> 
> These 'signatures' are new public keys?
> 
> Still Thunderbird is showing the expired key. Should I restart it to
> take the changes?
> 

The "identifiers" (UIDs) are the new identities (name-email pairs) added
to keys by the key owners.

Subkeys are just subkeys, added by the key owners. These are more like
the new public keys, not the signature count below.

Signatures are published signatures on the key in question, not just the
self-signatures but by other keys as well. In this case, most probably 9
other people signed the key, and the signatures were published to the
keyserver. Not selfsigs, those are less common.

Enigmail just runs gpg(2) under the hood, so if gpg reports the correct
results, a restart should be enough, unless it has a separate cache for
some reason.

Re: GPG key expiry questions?

2018-03-14 Thread Daniel Bareiro 
Hi, Ansgar.

On 14/03/18 03:26, Ansgar Burchardt wrote:

>>> You can change the expiry date of your own key, but for other people to
>>> be able to see it and avoid having your key show up as expired, you must
>>> publish the new (key? signature? not sure...) and others must fetch it
>>> before the expiry date hits.
>>>
>>> I think what happened is that you edited the expiration date of your key
>>> and published it, but the other person didn't get the updated version
>>> before their copy of your key expired.

>> Ah, that sounds plausible. I think I actually edited it after it had
>> expired, so very likely, if that causes a problem. I have a newer one as
>> well (4096 instead of 2048 bit) - though apparently with no signatures
>> on it yet. Not sure if that will suffer the same problem? I can't
>> remember if that one also expired and was posthumously edited ... If it
>> hasn't actually been used much, will that mean nobody's got it 'cached'?

> Editing the key is no problem, the other side just has to update their
> copy from time to time.  But this is necessary anyway: if they do not
> look for updates to the key, they will never know about key revocations
> either and continue to trust a revoked key.
> 
> Just run `gpg --refresh-keys` from time to time.

Thanks for the suggestion. I have updated my keyring:
(spanish output)

--
viper@orion:~$ gpg --refresh-keys
gpg: refreshing 195 keys from hkp://keys.gnupg.net
(...)
gpg: clave B4A2F08FEC70168D: "Richard Hector " 9
firmas nuevas
(...)
gpg: Cantidad total procesada: 193
gpg:  sin cambios: 106
gpg:  nuevos identificativos: 29
gpg:nuevas subclaves: 14
gpg:   nuevas firmas: 3201
gpg: public key C11141521FA7D0B8 is 74797 seconds newer than the signature
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: public key C11141521FA7D0B8 is 74797 seconds newer than the signature
gpg: nivel: 0  validez:   2  firmada:   0  confianza: 0-, 0q, 0n, 0m, 0f, 2u
--

GNUPG seems to have found 9 new signatures ('firmas' in spanish)  from
Richard.

The output in English would be something like this:

Total amount processed: 193
without changes: 196
new identifiers: 14
new subkeys: 14
new signatures: 3201

These 'signatures' are new public keys?

Still Thunderbird is showing the expired key. Should I restart it to
take the changes?

Kind regards,
Daniel



signature.asc
Description: OpenPGP digital signature

Re: GPG key expiry questions?

2018-03-14 Thread Ansgar Burchardt 
Richard Hector writes:
> On 14/03/18 15:50, likcoras wrote:
>> You can change the expiry date of your own key, but for other people to
>> be able to see it and avoid having your key show up as expired, you must
>> publish the new (key? signature? not sure...) and others must fetch it
>> before the expiry date hits.
>> 
>> I think what happened is that you edited the expiration date of your key
>> and published it, but the other person didn't get the updated version
>> before their copy of your key expired.
>
> Ah, that sounds plausible. I think I actually edited it after it had
> expired, so very likely, if that causes a problem. I have a newer one as
> well (4096 instead of 2048 bit) - though apparently with no signatures
> on it yet. Not sure if that will suffer the same problem? I can't
> remember if that one also expired and was posthumously edited ... If it
> hasn't actually been used much, will that mean nobody's got it 'cached'?

Editing the key is no problem, the other side just has to update their
copy from time to time.  But this is necessary anyway: if they do not
look for updates to the key, they will never know about key revocations
either and continue to trust a revoked key.

Just run `gpg --refresh-keys` from time to time.

Ansgar

Re: GPG key expiry questions?

2018-03-13 Thread john doe 

On 3/14/2018 4:20 AM, Richard Hector wrote:

On 14/03/18 15:50, likcoras wrote:

On 03/14/2018 11:39 AM, Richard Hector wrote:

And if I search for my key here:

https://pgp.surfnet.nl/pks/lookup?op=vindex=on=0xb4a2f08fec70168d

... I can see that there is a self-sig with the expiry date Daniel
mentioned, but also one for the one I'm seeing.


You can change the expiry date of your own key, but for other people to
be able to see it and avoid having your key show up as expired, you must
publish the new (key? signature? not sure...) and others must fetch it
before the expiry date hits.

I think what happened is that you edited the expiration date of your key
and published it, but the other person didn't get the updated version
before their copy of your key expired.



Ah, that sounds plausible. I think I actually edited it after it had
expired, so very likely, if that causes a problem. I have a newer one as
well (4096 instead of 2048 bit) - though apparently with no signatures
on it yet. Not sure if that will suffer the same problem? I can't
remember if that one also expired and was posthumously edited ... If it
hasn't actually been used much, will that mean nobody's got it 'cached'?



You should assume that the key is already cached somewhere! :)


Maybe I should just start from scratch :-(



Key transition is the way to go here:

https://www.apache.org/dev/key-transition.html

--
John Doe

Re: GPG key expiry questions?

2018-03-13 Thread Richard Hector 
On 14/03/18 15:50, likcoras wrote:
> On 03/14/2018 11:39 AM, Richard Hector wrote:
>> And if I search for my key here:
>>
>> https://pgp.surfnet.nl/pks/lookup?op=vindex=on=0xb4a2f08fec70168d
>>
>> ... I can see that there is a self-sig with the expiry date Daniel
>> mentioned, but also one for the one I'm seeing.
> 
> You can change the expiry date of your own key, but for other people to
> be able to see it and avoid having your key show up as expired, you must
> publish the new (key? signature? not sure...) and others must fetch it
> before the expiry date hits.
> 
> I think what happened is that you edited the expiration date of your key
> and published it, but the other person didn't get the updated version
> before their copy of your key expired.
> 

Ah, that sounds plausible. I think I actually edited it after it had
expired, so very likely, if that causes a problem. I have a newer one as
well (4096 instead of 2048 bit) - though apparently with no signatures
on it yet. Not sure if that will suffer the same problem? I can't
remember if that one also expired and was posthumously edited ... If it
hasn't actually been used much, will that mean nobody's got it 'cached'?

Maybe I should just start from scratch :-(

Secure distribution and collecting signatures always seems to be the
problem.

Thanks,
Richard



signature.asc
Description: OpenPGP digital signature

Re: GPG key expiry questions?

2018-03-13 Thread likcoras 
On 03/14/2018 11:39 AM, Richard Hector wrote:
> And if I search for my key here:
> 
> https://pgp.surfnet.nl/pks/lookup?op=vindex=on=0xb4a2f08fec70168d
> 
> ... I can see that there is a self-sig with the expiry date Daniel
> mentioned, but also one for the one I'm seeing.

You can change the expiry date of your own key, but for other people to
be able to see it and avoid having your key show up as expired, you must
publish the new (key? signature? not sure...) and others must fetch it
before the expiry date hits.

I think what happened is that you edited the expiration date of your key
and published it, but the other person didn't get the updated version
before their copy of your key expired.

GPG key expiry questions?

2018-03-13 Thread Richard Hector 
Hi all,

Daniel Bareiro recently pointed out that he sees my GPG key as being
expired:

On 14/03/18 15:14, Daniel Bareiro wrote:
> This is the information I see in Thunderbird with Enigmail:
>
> Fingerprint: 9E11 77C0 8F96 98B8 82EF 70E4 B4A2 F08F EC70 168D
> Created: 05/09/2010
> Expiration: 10/05/2015

gpg --list-secret-keys shows an expiry of 2018-08-05.

And if I search for my key here:

https://pgp.surfnet.nl/pks/lookup?op=vindex=on=0xb4a2f08fec70168d

... I can see that there is a self-sig with the expiry date Daniel
mentioned, but also one for the one I'm seeing.

Can someone help clarify what's going on?

Thanks,
Richard
P.S. the web of trust reveals quite a bit about me, doesn't it ...



signature.asc
Description: OpenPGP digital signature