On Mon, Sep 15, 2014 at 5:13 PM, Hauke Laging <mailinglis...@hauke-laging.de> wrote:
[snip] > I have created his certificate. That is an offline mainkey and he is > probably not capable (or willing) to extend the validity period. He is > not going to replace the key. It is not considered compromised. We(?) > even talked on the phone today. > > It is far from a serious assessment of the situation to claim that the > key owner want me not to use this key any more. And this situation is > far less strange than the other ones offered in this thread. > > If you set an expiration date (no matter whether with GnuPG or the well- > known GUIs) then the software does not tell you that senders were not > allowed / not capable to use this key after that date. It says something > about "How long shall it be valid?". Respectfully, Hauke, we just disagree on this. But your last comment raises a crucial point that I think has bugged OpenPGP for far too long: the software we use for OpenPGP has actually been far too liberal about letting people use "not valid" keys. This has taken pressure off the writers of user interfaces to find ways of encouraging users to use the software properly, and at the same time the web of trust has been shrouded in far too much mystique and mystery! If a user sets up a key and sets the flag on the key that explicitly means, "Do not use it after this point" I think the software should enforce that. I can see that it creates a (small?) potential for a DoS attack, and I can see that there might be cases you want to override it in special circumstances. As it happens though, it isn't exactly a strong protection for someone willing to delete revocation signatures and so on to make things work. The work-around is simple: wind your computer clock back and you'll be fine in this case. N. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users