From gnupg-users Tue Jan 03 20:49:21 2012 From: Ingo =?iso-8859-15?q?Kl=F6cker?= Date: Tue, 03 Jan 2012 20:49:21 +0000 To: gnupg-users Subject: Re: Question regarding unknown certificates Message-Id: <201201032149.22120 () thufir ! ingo-kloecker ! de> X-MARC-Message: https://marc.info/?l=gnupg-users&m=132562411319381 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============1852955787==" --===============1852955787== Content-type: multipart/signed; boundary=nextPart6470899.YB0eViBhgz; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-transfer-encoding: 7bit --nextPart6470899.YB0eViBhgz Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable On Tuesday 03 January 2012, Jerome Baum wrote: > On 2012-01-03 10:59, Werner Koch wrote: > > I will keep them in the file because these certificates are useful > > in the "chain" validation model. Usually we use the "shell" model > > where expiration dates have an obvious meaning. For German > > qualified signatures the "chain" model is required. Basically, it > > compares the expiration date to the date given in the signatures. >=20 > I lack the experience to understand how the chain model makes any > sense at all. Would anyone care to elaborate? >=20 > In my understanding, a signing key can be set to expire to help > prevent unauthorized use. AFAIK there is no other use in expiring a > signing key. The situation is different with an encryption key but > let's focus on signing keys because that's what CA keys are. So we > need only worry about abuse. >=20 > Now say I'm a CA and my key is set to expire in 4 weeks. I now make a > certification on another key that is set to expire in a year. What expires a year from now? Your signature on the other key or the=20 other key itself? I guess you meant the other key. (If you sign a key=20 with a key with expiration date with GnuPG then you will be asked=20 whether the signature shall expire at the same date as your key.) > Now > look 5 weeks into the future, my key is stolen. At this point, in > the shell model, the key is useless to an attacker -- the point in > expiring my key in the first place. If your key is stolen, but not compromised, i.e. the attacker has not=20 cracked your password, then the key is useless to the attacker=20 regardless of any expiration. OTOH, if your key is compromised then the=20 attacker will simply set a new expiration date. The only protection against abuse of a stolen (and potentially=20 compromised) key is the revokation of the key. Regards, Ingo --nextPart6470899.YB0eViBhgz Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEABECAAYFAk8DadIACgkQGnR+RTDgudgmkwCg28uHrexkp8k2qGYOHVY1n8P4 D0gAnRIc9PMhm4gJrCZaFLXer6HA9jAT =ChHI -----END PGP SIGNATURE----- --nextPart6470899.YB0eViBhgz-- --===============1852955787== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users --===============1852955787==--