SKS-Keyserver returns negative timestamp

[Andrew Gallagher]

On 26 Feb 2024, at 17:42, Jan Girlich <vollkorn at cryptobitch.de> wrote:
> 
> On Mon, 2024-02-26 at 17:14 +0000, Andrew Gallagher wrote:
>> On 26 Feb 2024, at 14:29, Jan Girlich <vollkorn at cryptobitch.de>
>> wrote:
>>> 
>>> How is the timestamp '-62135596800' to be interpreted?
>> 
>> It would normally be interpreted as “seconds before the epoch”, but
>> in this particular case the key is unparseable, so the number is
>> meaningless. Keys can be unparseable for many reasons, but the most
>> common one is the use of an obsolete primary key algorithm, such as
>> RSA512 or Elgamal encrypt-and-sign.
> 
> thanks for this explanation. I know that this key worked fine from the
> same keyserver before.

This was most likely before it was migrated from sks-keyserver to hockeypuck, about three(?) years ago.

> Should I be worried about the integrity of the
> web of trust with regard to corrupted keys? Or could it be that since
> this key has been revoked that the keyserver is giving nonsensical
> responses on purpose?

So, for a bit of context, epoch minus 62135596800 is 1 Jan 0001. This is the default “zero time” in golang, meaning that any uninitialised timestamp variable will return this value. The expiry time for this key is uninitialised because there are no valid self-signatures over this key, which in turn is because it is an RSA1024 key, which is no longer supported by go-crypto/openpgp and therefore its signatures are unparseable by hockeypuck. In a sense, it is “not even revoked”. Any WoT certifications made by this key are no longer cryptographically sound and should not be relied upon.

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240226/7a7acce0/attachment.sig>