Rare condition incompatibility of public key

David Shaw dshaw at jabberwocky.com
Tue Dec 2 19:32:31 CET 2008


On Tue, Dec 02, 2008 at 12:38:10PM -0300, Faramir wrote:
> David Shaw escribi??:
> > On Mon, Dec 01, 2008 at 09:05:24PM +0100, Myckel Habets wrote:
> 
> >> The screenshot he showed (the one where my key validated bad) showed
> >> still the old expiration date. Is this somewhere stored in the key
> >> itself? (it kept showing up even after he removed my public key and
> ...
> > It is stored on the key (in one of the self-signatures of the key, to
> > be precise).  The problem is that pgp 6.5.8 doesn't handle expiration
> > properly, so it is not understanding that your key (having two
> > expiration dates, the original one and the new one) was un-expired.
> 
>   Maybe "cleaning" the public key before sending it would help... or am
> I wrong? IIRC, the clean command would remove the old signature, since
> it has been superseded by the new one...

It probably would help, yes, since that removes the older selfsig that
contains the expiration.  It doesn't really solve the problem though -
as soon as the 6.5.8 person updates keys, the problem selfsig will
come back again.

They could keep a copy of GPG around to clean keys for 6.5.8, but then
it does raise the question why they don't just use the GPG that is
sitting there...

This is a perfect example of why 6.5.8 is bad: it more or less can be
made to work, but requires special steps to be taken which raises the
difficulty level of using PGP.  It removes the "it just works" and
replaces it with "it sort of works, but you have to ask lots of
questions on mailing lists and hit Google regularly".  That turns
people off from using PGP.

One of the great things that I think that the PGP company did in their
new system is spend a lot of effort to make it "just work".  I like
the idea behind GPGrelay (http://sites.inka.de/tesla/gpgrelay.html)
for the same reason.  I don't use it - it's not targeted at me - but
the idea is a nice one.

David



More information about the Gnupg-users mailing list