Renewing expiring key - done correctly?

Leo Gaspard ekleog at gmail.com
Thu Dec 5 00:14:10 CET 2013


On Tue, Dec 03, 2013 at 07:26:09PM -0500, Robert J. Hansen wrote:
> On 12/3/2013 6:59 PM, Hauke Laging wrote:
> > It may be possible to prevent someone from seeing the revocation
> > certificate. Certificate distribution is a lot less secure than the
> > keys themselves. But you cannot trick someone into using an expired
> > key.
>
> Of course you can.  Reset their computer's clock.  You don't even have
> to compromise their computer in order to do it: compromising whatever
> NTP server they're contacting is enough.

AFAIK by default ntpd dismisses changes to the RTC when NTP time is off more than
15 min of the RTC. One would need a special flag to force it to update the clock
in this case. (at least the ntpd I used)

So you could only delay the expiration date by 15 min... So useful ?



More information about the Gnupg-users mailing list