Password reset
David Shaw
dshaw@jabberwocky.com
Tue Aug 21 14:41:02 2001
On Tue, Aug 21, 2001 at 05:41:10AM +0000, Subba Rao wrote:
> On 0, Florian Weimer <fw@deneb.enyo.de> wrote:
> > Subba Rao <subba9@home.com> writes:
> >
> > > My key was set to expire at the end of September. Will the public on the
> > > key servers become completely obsolete to sign or encrypt anything?
> >
> > No, it doesn't. Some implementors choose to ignore expiration during
> > some operations, which makes expiration rather meaningless.
> >
>
> What about the revoked key? I have revoked my old key and send it to
> the keyservers. Can a revoked key be used to sign a document or
> email? If you can, then isn't that something that could be used to
> mislead a user about the authenticity of the document or email?
Revocation and expiration are a very good and useful feature - but
they don't (and shouldn't) prevent people from using the revoked or
expired key.
OpenPGP puts the onus of deciding whether to use or trust a key on the
local user's side. This is good, as it puts the control where it
belongs, but it also means that revocations and expirations are really
just advisory (i.e. "please don't use this key anymore", and "please
don't use this key after such-and-such date.").
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson