encrypting to expired certificates
Doug Barton
dougb at dougbarton.us
Mon Sep 15 23:53:43 CEST 2014
On 9/15/14 2:26 PM, Werner Koch wrote:
> On Mon, 15 Sep 2014 21:22, dougb at dougbarton.us said:
>
>> Imagine this scenario ... Alice sets an expiration date on her key
>> because she knows that after that expiration date her key is:
>>
>
> 0. Deleted to achieve some forward secrecy.
Yeah, I'm sure there are other scenarios I was not smart enough to
consider. :)
> Actually the sematics of an expired (sub)key may come from the 1999 or
> so idea of adding features to mitigate the effect of the UK RIP act (or
> whatever it is called now).
Wow, blast from the past. :) It's not clear to me how you're tying
those 2 things together though.
Meanwhile, I left out of my previous post my overwhelming dislike of the
expiration date feature. :) Robert has a really good point about GnuPG
not providing policy, and unfortunately a lot of users see the
"expiration date knob" and cannot resist the urge to twist it, without
understanding what it means, or why it should (or should not be) used,
or in many cases even that they themselves can extend the expiration
date if they choose to.
Frankly I wish the option had never been added to the spec, but
(thankfully) I'm not in charge. :)
Doug
More information about the Gnupg-users
mailing list