Re: Best practice for periodic key change?

2011-05-06 Thread Grant Olson
On 5/6/2011 10:05 PM, Hauke Laging wrote: > > Several people have mentioned that a signature does not become invalid by > expiration of the key. That is formally correct an describes the GnuPG > behaviour. But with regard to content in such a case there has to be an > additional proof that the

Re: Best practice for periodic key change?

2011-05-06 Thread Hauke Laging
Am Freitag, 6. Mai 2011, 22:37:12 schrieb Doug Barton: > > That's not correct for subkeys and offline mainkeys as the good guys do > > it. > > I don't understand this response. What I'm saying is that if the key is > compromised, expiration dates become irrelevant. Perhaps you could > expand your

Re: Best practice for periodic key change?

2011-05-06 Thread Hauke Laging
Am Freitag, 6. Mai 2011, 21:48:03 schrieb Ingo Klöcker: > > What is the difference between these two options with respect to the > > point of confusion? > > Unless I'm missing something the difference is as follows: > - With prolongation of the expiration time releases signed before the > prolong

Re: Best practice for periodic key change?

2011-05-06 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 7 May 2011 at 12:01:30 AM, in , Jerome Baum wrote: > Email > headers don't really make a difference -- they would > have signed it yesterday and sent it today, but the > message is still from yesterday. OK, when was this message s

Re: Best practice for periodic key change?

2011-05-06 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 7 May 2011 at 12:11:06 AM, in , Jerome Baum wrote: > Actually let me put this in context so you see what I > mean. I already see what you mean; I just happen to disagree. (-; > Say my sub-key expired yesterday. Today, you come

Re: Best practice for periodic key change?

2011-05-06 Thread Jerome Baum
On Sat, May 7, 2011 at 01:01, Jerome Baum wrote: > Okay, let me rephrase that. "claim it's from today" should have been "have > the signature date as today". That's how I would interpret such a claim. > Email headers don't really make a difference -- they would have signed it > yesterday and sent

Re: Best practice for periodic key change?

2011-05-06 Thread Jerome Baum
On Sat, May 7, 2011 at 00:40, MFPA wrote: > > On Friday 6 May 2011 at 10:18:29 PM, in > , Jerome Baum > wrote: > > > >>> If my key expired yesterday, no-one can > >>> forge a message with that key and claim it's from > >>> today. > > Suppose your master key is secure and offline but Mallory has c

Re: Best practice for periodic key change?

2011-05-06 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 6 May 2011 at 10:18:29 PM, in , Jerome Baum wrote: >>> If my key expired yesterday, no-one can >>> forge a message with that key and claim it's from >>> today. >> Never heard of a system clock that was wrong? > I'll give a summary

https://lists.gnupg.org X.509 certificate is expired

2011-05-06 Thread Daniel Kahn Gillmor
When i point a web browser at https://lists.gnupg.org, i get a warning that the server's X.509 certificate is expired (it has a CN of trithemius.gnupg.org and several subjectAltNames, including lists.gnupg.org). I'm not a fan of the CA cartel, but it would be nice to have some up-to-date way of ve

Re: Best practice for periodic key change?

2011-05-06 Thread Jerome Baum
On Fri, May 6, 2011 at 23:07, MFPA wrote: > On Friday 6 May 2011 at 9:48:26 PM, in > , Jerome Baum > wrote: > > > > If my key expired yesterday, no-one can > > forge a message with that key and claim it's from > > today. > > > Never heard of a system clock that was wrong? I'll give a summary re

Fwd: Re: Best practice for periodic key change?

2011-05-06 Thread Grant Olson
Meant to sent on-list... Original Message Subject: Re: Best practice for periodic key change? Date: Sun, 08 May 2011 16:39:34 -0400 From: Grant Olson To: Ingo Klöcker On 5/6/11 3:48 PM, Ingo Klöcker wrote: > On Thursday 05 May 2011, Hauke Laging wrote: >> What is the differenc

Re: Best practice for periodic key change?

2011-05-06 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 6 May 2011 at 9:48:26 PM, in , Jerome Baum wrote: > If my key expired yesterday, no-one can > forge a message with that key and claim it's from > today. Never heard of a system clock that was wrong? - -- Best regards MFPA

Re: Best practice for periodic key change?

2011-05-06 Thread MFPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 6 May 2011 at 8:48:03 PM, in , Ingo Klöcker wrote: > Unless I'm missing something the difference is as > follows: - With prolongation of the expiration time > releases signed before the prolongation will keep > having a valid signat

Re: Best practice for periodic key change?

2011-05-06 Thread Doug Barton
On 05/06/2011 13:48, Jerome Baum wrote: On Fri, May 6, 2011 at 22:37, Doug Barton mailto:do...@dougbarton.us>> wrote: I don't understand this response. What I'm saying is that if the key is compromised, expiration dates become irrelevant. Up to a point. If my key expired yesterday, no

Re: Best practice for periodic key change?

2011-05-06 Thread Grant Olson
On 5/6/11 4:48 PM, Jerome Baum wrote: > On Fri, May 6, 2011 at 22:37, Doug Barton > wrote: > > > I don't understand this response. What I'm saying is that if the key > is compromised, expiration dates become irrelevant. > > > Up to a point. If my key expired

Re: Best practice for periodic key change?

2011-05-06 Thread Jerome Baum
On Fri, May 6, 2011 at 22:37, Doug Barton wrote: > > > I don't understand this response. What I'm saying is that if the key is > compromised, expiration dates become irrelevant. Up to a point. If my key expired yesterday, no-one can forge a message with that key and claim it's from today. Just

Re: Best practice for periodic key change?

2011-05-06 Thread Doug Barton
On 05/06/2011 08:34, Hauke Laging wrote: Am Freitag, 6. Mai 2011, 09:47:57 schrieb Doug Barton: There's also another element, the expiration date is irrelevant if the key is actually compromised. If Eve has your secret key she can simply update or remove the expiration date, and upload the new

Re: Best practice for periodic key change?

2011-05-06 Thread Ingo Klöcker
On Thursday 05 May 2011, Hauke Laging wrote: > Am Donnerstag, 5. Mai 2011, 11:19:30 schrieb Werner Koch: > > A > > period key change is problematic because it confuses those who want > > to verify the signatures. > > > > BTW, the prolongation of the expiration time has showed (by means > > of a lo

Re: Best practice for periodic key change?

2011-05-06 Thread Hauke Laging
Am Freitag, 6. Mai 2011, 09:47:57 schrieb Doug Barton: > There's also another element, the expiration date is irrelevant if the > key is actually compromised. If Eve has your secret key she can simply > update or remove the expiration date, and upload the new version of the > public key to the pub

Re: Best practice for periodic key change?

2011-05-06 Thread Daniel Kahn Gillmor
On 05/06/2011 03:47 AM, Doug Barton wrote: > There's also another element, the expiration date is irrelevant if the > key is actually compromised. If Eve has your secret key she can simply > update or remove the expiration date, and upload the new version of the > public key to the public keyserver

Re: very beginnerfriendly gpg

2011-05-06 Thread vedaal
Erica3 erica339 at safe-mail.net wrote on Fri May 6 14:25:23 CEST 2011 : >I'm looking for the most newbie-friendly, easiest-to-use version of gpg. No writing commands, just clicking and if possible, I want to download and install the whole thing at once and not have to put things (gpg and inter

Re: I'm looking for a very beginnerfriendly gpg

2011-05-06 Thread Kevin Kammer
On Fri, May 06, 2011 at 05:25:23AM -0700 Also sprach Erica3: I'm looking for the most newbie-friendly, easiest-to-use version of gpg. No writing commands, just clicking and if possible, I want to download and install the whole thing at once and not have to put things (gpg and interface?) togethe

Re: I'm looking for a very beginnerfriendly gpg

2011-05-06 Thread Robert J. Hansen
> This might not be the right place, but I cross my fingers and hope that > someone here can help me or maybe give me a link to a better place to ask > this question. I've tried to find a forum for this, but I couldn't. You're in the right place, never fear. There are a lot of people here who are

I'm looking for a very beginnerfriendly gpg

2011-05-06 Thread Erica3
Hi everyone! This might not be the right place, but I cross my fingers and hope that someone here can help me or maybe give me a link to a better place to ask this question. I've tried to find a forum for this, but I couldn't. I'm looking for the most newbie-friendly, easiest-to-use version of gp

Re: scripting gpg

2011-05-06 Thread Jon Drukman
On Wed, May 4, 2011 at 5:44 PM, Jerome Baum wrote: > On Thu, May 5, 2011 at 02:19, Jon Drukman wrote: > >> putenv('HOME=/tmp/gpg'); >> @mkdir('/tmp/gpg'); >> > > At this point, you should be watching carefully. What if another user has > created this directory to spoof the key? > There are no o

Re: Best practice for periodic key change?

2011-05-06 Thread Doug Barton
On 05/05/2011 23:22, Andreas Heinlein wrote: Like Werner said, many people never refresh their keys, so expiring is indeed a way to force them to do that. ( I admit that, in our case, even this will not help, since gpg will happily verify a signature made by an expired key. It will tell you that