On 2017/06/06 14:38, Peter Lebbing wrote: > However, if somebody has used a timestamping service to prove the > signature was in fact really issued before the key expired, you'll have > to claim that you had already disclosed the secret key back then. Even > though you didn't. So you can't prove it with a timestamping service > because it is not actually the case.
Ah, yes. I was thinking of the case where the signature was forged, not one where the signature was genuine. Repudiable signatures, like ephemeral keys, only really work in a synchronous environment such as chat or TLS. The signatures are checked automatically and thrown away before being presented to the user, which allows them to be valid for very short periods of time (on the order of seconds). The secret keys are then published (within the secure channel) immediately. In such an environment, any discrepancy found by referring to a timestamping service can be explained away by clock drift. This reminds me of the side discussion at openPGPconf re ephemeral keys for email. At some point you have to admit that data-in-motion and data-at-rest security are fundamentally different beasts. A
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
