Re: Why is "--allow-non-selfsigned-uid" needed to import this key?

Tue, 17 May 2011 07:27:23 -0700 

At 12:50 PM 5/16/2011, Robert J. Hansen wrote:

On Mon, 16 May 2011 11:32:15 -0600, Steve Strobel
<steve.stro...@link-comm.com> wrote:
>         root:~> gpg --import test-key.gpg
>         gpg: key CBF38289 was created 137948617 seconds in the future
>         (time warp or clock problem)

This is exactly what it sounds like: according to your certificate, it was
created about five and a half months from now.[1]  To GnuPG, that sounds
like something's hinky and it refuses to allow it to be imported.  You've
managed to get around it by telling GnuPG, "listen, fine, strip off the
hinky signature: /now/ will you accept it?"

And in that case, sure, GnuPG will: but the consequence of it is you've
got a UID that's missing a signature.  Hence, "allow-nonselfsigned-uid"
must be passed on the command line.
Thanks for the tip. Just setting the date on the embedded device before importing the key made it work without "--allow-non-selfsigned-uid".
That still leaves me without a straightforward solution, though. The embedded device doesn't have a battery-backed clock and doesn't need one. It will sometimes have Internet access and could potentially use NTP when available to set the date. That seems like a lot of extra complexity just to import a key. The user interface doesn't make it easy to ask the user for the date. What would the security implications be of just setting the clock to a fixed future date before importing the key? 

[1] As an undergraduate Prof. Hill once mused to me, "Math is funny.  You

tell someone how many seconds are in a year, they forget it immediately.
You tell them that accurate to half a percent there are pi seconds in a
nanocentury and they remember it for life."  He was right, I've never
forgotten, and that's made it easy to remember there are 31.4 million (3.14
* 10**7) seconds in a year.  13.8 million / 31.4 million = 137/314 = 0.44
of a year, * 12 = five and a half months, more or less.  Not really
relevant to GnuPG, but a handy factoid for timestamp calculations, if you
ever need to do them in a hurry.


That is a great way to remember.  Now if remembering names was just as easy...

Thanks again,
Steve


---
Steve Strobel
Link Communications, Inc.
1035 Cerise Rd
Billings, MT 59101-7378
(406) 245-5002 ext 102
(406) 245-4889 (fax)
WWW: http://www.link-comm.com
MailTo:steve.stro...@link-comm.com


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to