[Announce] A new GnuPG snapshot (unstable)
Stefan H. Holek
stefan at epy.co.at
Sun Nov 4 17:40:02 CET 2001
--On Samstag, 03. November 2001 15:42 +0100 Werner Koch <wk at gnupg.org>
wrote:
> On Sat, 3 Nov 2001 13:41:52 +0100 (CET), Stefan H Holek said:
>
>> I gave 1.0.6b a spin recently and found that the trustdb stuff has
>> considerably improved over 1.0.6. This is good news! Even expired keys
>> do now work for key validation, they did not in plain 1.0.6...
>
> I hope you mean that they are not used for key validation ...
Oh. But they are, and I think this is good ;-)
The situation is that I have a key that is about to expire, so I want to
create a new key and sign it with the old one to transfer its trust.
I first tried this about a year ago (with 1.0.4, admittedly) and failed
because when the signing key expired, it no longer worked for validation.
http://lists.gnupg.org/pipermail/gnupg-users/2000-October/006846.html
Now I created a scenario where Alice has signed Carol's key and Carol has
signed Donna's. Furthermore Alice trusts Carol completely and thus has a
path to Donna. I then expired Carol's key to look at the consequences.
before expiration (listing by 1.0.6):
/home/alice/.gnupg/pubring.gpg
------------------------------
pub:u:1024:17:00C2AC030BCAA0B3:2001-11-01:2002-04-30:59:-:Alice::scESC:
sub:u:1024:16:0992322301BF90FB:2001-11-01:2002-04-30:59::::e:
pub:f:1024:17:1F80257527E73A47:2001-11-01:2001-11-03:64:f:Carol::scESC:
sub:f:1024:16:4744413994545EC4:2001-11-01:2002-04-30:64::::e:
pub:f:1024:17:8C20015102AC7E32:2001-11-01:2002-04-30:70:-:Donna::scESC:
sub:f:1024:16:6DE1D75D64BB1C1C:2001-11-01:2002-04-30:70::::e:
after expiration in 1.0.6:
/home/alice/.gnupg/pubring.gpg
------------------------------
pub:u:1024:17:00C2AC030BCAA0B3:2001-11-01:2002-04-30:59:-:Alice::scESC:
sub:u:1024:16:0992322301BF90FB:2001-11-01:2002-04-30:59::::e:
pub:e:1024:17:1F80257527E73A47:2001-11-01:2001-11-03:::Carol::scE:
sub::1024:16:4744413994545EC4:2001-11-01:2002-04-30:::::e:
pub:q:1024:17:8C20015102AC7E32:2001-11-01:2002-04-30:70:-:Donna::scESC:
sub:q:1024:16:6DE1D75D64BB1C1C:2001-11-01:2002-04-30:70::::e:
after expiration in 1.0.6b:
/home/alice/.gnupg/6b/pubring.gpg
---------------------------------
pub:u:1024:17:00C2AC030BCAA0B3:2001-11-01:2002-04-30:::Alice::scESC:
sub:u:1024:16:0992322301BF90FB:2001-11-01:2002-04-30:::::e:
pub:e:1024:17:1F80257527E73A47:2001-11-01:2001-11-03:::Carol::scE:
sub::1024:16:4744413994545EC4:2001-11-01:2002-04-30:::::e:
pub:f:1024:17:8C20015102AC7E32:2001-11-01:2002-04-30:::Donna::scESC:
sub:f:1024:16:6DE1D75D64BB1C1C:2001-11-01:2002-04-30:::::e:
As you can see, Donna is still trusted in 1.0.6b whereas in 1.0.6 Donna's
validity is lost. IMO the new behavior is correct as it should be
possible to verify signatures even after the key making them has expired,
and because Alice still trusts Carol's certification.
[snip]
And thanks for the explanations,
Stefan
More information about the Gnupg-devel
mailing list