At 12:45 PM 8/18/00 -0500, Bolan Meek wrote:
>Richard Braakman wrote:
> >
> > On Fri, Aug 18, 2000 at 04:36:26PM +0200, Stefan Alfredsson wrote:
> > > IIRC what happens is that a special signature is added to
> > > your key which informs of the new expiredate,
> > > and since this packet is signed by you its effectively as
> > > if you'd choosen another expireday to begin with.
> >
> > If that really works, expiry is useless.
> > The whole point of expiring keys is to reduce the risk of
> > them being compromised during their lifetime
> > (by shortening the lifetime).
> > If anyone who has the key can extend its expiry time, then what is the
> > point? You might as well not expire it in the first place.
>
>Except that only the holder of the key -the knower of the passphrase-
>is able to change that expiry, and then sign with it. If one
>is confident that the key has not been compromised, one ought
>be able to keep the key effective. Freedom includes the freedom
>to change one's mind.
Alice signs her key, and sets it to expire on 31 December.
Bob shoulder-surfs Alice, and gets enough information to reduce the
search-space of a brute-force pass-phrase search drastically (He know knows
it's 10-15 characters, two spaces, no shifted-characters). He also gets a
copy of her secret key ring from an off-site backup which Alice was unaware of.
On 31 December, Alice starts using her new key, confident that the old key
will expire and become invalid. She has no reason to suspect it has been
compromised. She deletes her old key and keyring.
On 15 January, Bob succeeds in guessing "who goes there", and has Alice's
expired secret key. He resets the clock in his computer to 15 December,
and resets the expiry date of Alices key to the far future. Oops.
>But I don't use expiry: if I desire my keys to expire, I'll
>revoke them. Hmmm... Could I then 'unrevoke' them later? I
>think not: that should be the choice of the keyserver... (?)
I think expiry and revocation should be irrefutable acts.
>--
>I'm on the list.
>
>[EMAIL PROTECTED] 972-729-5387
>[EMAIL PROTECTED] (home ph. on Q) http://www.koyote.com/users/bolan
>RE: xmailtool http://www.koyote.com/users/bolan/xmailtool/index.html
>RMS of Borg: "Resistance is futile; you shall be freed."
>
>
>--
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
