Re: GPG key expiry questions?
On 03/14/2018 09:14 PM, Daniel Bareiro wrote: > On 14/03/18 03:26, Ansgar Burchardt wrote: >> Just run `gpg --refresh-keys` from time to time. > > Thanks for the suggestion. I have updated my keyring: > > GNUPG seems to have found 9 new signatures ('firmas' in spanish) from > Richard. > > The output in English would be something like this: > > Total amount processed: 193 > without changes: 196 > new identifiers: 14 > new subkeys: 14 > new signatures: 3201 > > These 'signatures' are new public keys? > > Still Thunderbird is showing the expired key. Should I restart it to > take the changes? > The "identifiers" (UIDs) are the new identities (name-email pairs) added to keys by the key owners. Subkeys are just subkeys, added by the key owners. These are more like the new public keys, not the signature count below. Signatures are published signatures on the key in question, not just the self-signatures but by other keys as well. In this case, most probably 9 other people signed the key, and the signatures were published to the keyserver. Not selfsigs, those are less common. Enigmail just runs gpg(2) under the hood, so if gpg reports the correct results, a restart should be enough, unless it has a separate cache for some reason.
Re: GPG key expiry questions?
Hi, Ansgar. On 14/03/18 03:26, Ansgar Burchardt wrote: >>> You can change the expiry date of your own key, but for other people to >>> be able to see it and avoid having your key show up as expired, you must >>> publish the new (key? signature? not sure...) and others must fetch it >>> before the expiry date hits. >>> >>> I think what happened is that you edited the expiration date of your key >>> and published it, but the other person didn't get the updated version >>> before their copy of your key expired. >> Ah, that sounds plausible. I think I actually edited it after it had >> expired, so very likely, if that causes a problem. I have a newer one as >> well (4096 instead of 2048 bit) - though apparently with no signatures >> on it yet. Not sure if that will suffer the same problem? I can't >> remember if that one also expired and was posthumously edited ... If it >> hasn't actually been used much, will that mean nobody's got it 'cached'? > Editing the key is no problem, the other side just has to update their > copy from time to time. But this is necessary anyway: if they do not > look for updates to the key, they will never know about key revocations > either and continue to trust a revoked key. > > Just run `gpg --refresh-keys` from time to time. Thanks for the suggestion. I have updated my keyring: (spanish output) -- viper@orion:~$ gpg --refresh-keys gpg: refreshing 195 keys from hkp://keys.gnupg.net (...) gpg: clave B4A2F08FEC70168D: "Richard Hector" 9 firmas nuevas (...) gpg: Cantidad total procesada: 193 gpg: sin cambios: 106 gpg: nuevos identificativos: 29 gpg:nuevas subclaves: 14 gpg: nuevas firmas: 3201 gpg: public key C11141521FA7D0B8 is 74797 seconds newer than the signature gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: public key C11141521FA7D0B8 is 74797 seconds newer than the signature gpg: nivel: 0 validez: 2 firmada: 0 confianza: 0-, 0q, 0n, 0m, 0f, 2u -- GNUPG seems to have found 9 new signatures ('firmas' in spanish) from Richard. The output in English would be something like this: Total amount processed: 193 without changes: 196 new identifiers: 14 new subkeys: 14 new signatures: 3201 These 'signatures' are new public keys? Still Thunderbird is showing the expired key. Should I restart it to take the changes? Kind regards, Daniel signature.asc Description: OpenPGP digital signature
Re: GPG key expiry questions?
Richard Hector writes: > On 14/03/18 15:50, likcoras wrote: >> You can change the expiry date of your own key, but for other people to >> be able to see it and avoid having your key show up as expired, you must >> publish the new (key? signature? not sure...) and others must fetch it >> before the expiry date hits. >> >> I think what happened is that you edited the expiration date of your key >> and published it, but the other person didn't get the updated version >> before their copy of your key expired. > > Ah, that sounds plausible. I think I actually edited it after it had > expired, so very likely, if that causes a problem. I have a newer one as > well (4096 instead of 2048 bit) - though apparently with no signatures > on it yet. Not sure if that will suffer the same problem? I can't > remember if that one also expired and was posthumously edited ... If it > hasn't actually been used much, will that mean nobody's got it 'cached'? Editing the key is no problem, the other side just has to update their copy from time to time. But this is necessary anyway: if they do not look for updates to the key, they will never know about key revocations either and continue to trust a revoked key. Just run `gpg --refresh-keys` from time to time. Ansgar
Re: GPG key expiry questions?
On 3/14/2018 4:20 AM, Richard Hector wrote: On 14/03/18 15:50, likcoras wrote: On 03/14/2018 11:39 AM, Richard Hector wrote: And if I search for my key here: https://pgp.surfnet.nl/pks/lookup?op=vindex=on=0xb4a2f08fec70168d ... I can see that there is a self-sig with the expiry date Daniel mentioned, but also one for the one I'm seeing. You can change the expiry date of your own key, but for other people to be able to see it and avoid having your key show up as expired, you must publish the new (key? signature? not sure...) and others must fetch it before the expiry date hits. I think what happened is that you edited the expiration date of your key and published it, but the other person didn't get the updated version before their copy of your key expired. Ah, that sounds plausible. I think I actually edited it after it had expired, so very likely, if that causes a problem. I have a newer one as well (4096 instead of 2048 bit) - though apparently with no signatures on it yet. Not sure if that will suffer the same problem? I can't remember if that one also expired and was posthumously edited ... If it hasn't actually been used much, will that mean nobody's got it 'cached'? You should assume that the key is already cached somewhere! :) Maybe I should just start from scratch :-( Key transition is the way to go here: https://www.apache.org/dev/key-transition.html -- John Doe
Re: GPG key expiry questions?
On 14/03/18 15:50, likcoras wrote: > On 03/14/2018 11:39 AM, Richard Hector wrote: >> And if I search for my key here: >> >> https://pgp.surfnet.nl/pks/lookup?op=vindex=on=0xb4a2f08fec70168d >> >> ... I can see that there is a self-sig with the expiry date Daniel >> mentioned, but also one for the one I'm seeing. > > You can change the expiry date of your own key, but for other people to > be able to see it and avoid having your key show up as expired, you must > publish the new (key? signature? not sure...) and others must fetch it > before the expiry date hits. > > I think what happened is that you edited the expiration date of your key > and published it, but the other person didn't get the updated version > before their copy of your key expired. > Ah, that sounds plausible. I think I actually edited it after it had expired, so very likely, if that causes a problem. I have a newer one as well (4096 instead of 2048 bit) - though apparently with no signatures on it yet. Not sure if that will suffer the same problem? I can't remember if that one also expired and was posthumously edited ... If it hasn't actually been used much, will that mean nobody's got it 'cached'? Maybe I should just start from scratch :-( Secure distribution and collecting signatures always seems to be the problem. Thanks, Richard signature.asc Description: OpenPGP digital signature
Re: GPG key expiry questions?
On 03/14/2018 11:39 AM, Richard Hector wrote: > And if I search for my key here: > > https://pgp.surfnet.nl/pks/lookup?op=vindex=on=0xb4a2f08fec70168d > > ... I can see that there is a self-sig with the expiry date Daniel > mentioned, but also one for the one I'm seeing. You can change the expiry date of your own key, but for other people to be able to see it and avoid having your key show up as expired, you must publish the new (key? signature? not sure...) and others must fetch it before the expiry date hits. I think what happened is that you edited the expiration date of your key and published it, but the other person didn't get the updated version before their copy of your key expired.
GPG key expiry questions?
Hi all, Daniel Bareiro recently pointed out that he sees my GPG key as being expired: On 14/03/18 15:14, Daniel Bareiro wrote: > This is the information I see in Thunderbird with Enigmail: > > Fingerprint: 9E11 77C0 8F96 98B8 82EF 70E4 B4A2 F08F EC70 168D > Created: 05/09/2010 > Expiration: 10/05/2015 gpg --list-secret-keys shows an expiry of 2018-08-05. And if I search for my key here: https://pgp.surfnet.nl/pks/lookup?op=vindex=on=0xb4a2f08fec70168d ... I can see that there is a self-sig with the expiry date Daniel mentioned, but also one for the one I'm seeing. Can someone help clarify what's going on? Thanks, Richard P.S. the web of trust reveals quite a bit about me, doesn't it ... signature.asc Description: OpenPGP digital signature