Discussion:
Can I sign new key with expired key?
(too old to reply)
Dave U. Random
2014-10-21 10:47:51 UTC
Permalink
My key expired some time ago and I've made a new one. Can I sign
the new key with the old key so that people will see that it's
still me and not some imposter?
David E. Ross
2014-10-21 22:52:22 UTC
Permalink
Post by Dave U. Random
My key expired some time ago and I've made a new one. Can I sign
the new key with the old key so that people will see that it's
still me and not some imposter?
No, the expired key cannot be used for anything except to decrypt files
and messages that were encrypted by it before it expired.

The usual procedure is to set a calendar reminder on your computer that
the existing key will expire in a few weeks or a month. When reminded
about the pending expiration, generate a new key-pair and sign the new
public key with the old key before the old key expires.
--
David E. Ross

The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.
William Unruh
2014-10-21 23:32:11 UTC
Permalink
Post by David E. Ross
Post by Dave U. Random
My key expired some time ago and I've made a new one. Can I sign
the new key with the old key so that people will see that it's
still me and not some imposter?
No, the expired key cannot be used for anything except to decrypt files
and messages that were encrypted by it before it expired.
Keys are usually expired because it is feared that they may have been
leaked and that enemies know them. That fear may be due to knowledge or
due to the belief that the longer the key is used, the greater the
chance it leaked. Now if the key has leaked, than the other person who
has the private key can send messages, can sign messages, can sign new
keys, and can immitate the owner in any and all ways.
Expiry says :"I do not trust my own private key, and you sure as hell
should not trust it". Thus using it to sign a new key would be silly,
since you yourself have said that someone else could probably do that as
well as you. Ie, your expiry says that the signer could be that imposter
just as well as it could be you.

Now you might say "But I did not expire it because I thought it was
stolen but just because my protocol forced me to". Unfortunately noone
else would be advised to believe that. The person who says that could be
the thief saying that.

The advantage and problem with public key crypto is that you can
communicate with people who do not know you at all. That is great. But
is also a problem since there is no way to convince them that you are
you, except with the key, which your expiry told them was a bad key.
Post by David E. Ross
The usual procedure is to set a calendar reminder on your computer that
the existing key will expire in a few weeks or a month. When reminded
about the pending expiration, generate a new key-pair and sign the new
public key with the old key before the old key expires.
David E. Ross
2014-10-22 17:08:27 UTC
Permalink
Post by William Unruh
Post by David E. Ross
Post by Dave U. Random
My key expired some time ago and I've made a new one. Can I sign
the new key with the old key so that people will see that it's
still me and not some imposter?
No, the expired key cannot be used for anything except to decrypt files
and messages that were encrypted by it before it expired.
Keys are usually expired because it is feared that they may have been
leaked and that enemies know them. That fear may be due to knowledge or
due to the belief that the longer the key is used, the greater the
chance it leaked. Now if the key has leaked, than the other person who
has the private key can send messages, can sign messages, can sign new
keys, and can immitate the owner in any and all ways.
Expiry says :"I do not trust my own private key, and you sure as hell
should not trust it". Thus using it to sign a new key would be silly,
since you yourself have said that someone else could probably do that as
well as you. Ie, your expiry says that the signer could be that imposter
just as well as it could be you.
Now you might say "But I did not expire it because I thought it was
stolen but just because my protocol forced me to". Unfortunately noone
else would be advised to believe that. The person who says that could be
the thief saying that.
The advantage and problem with public key crypto is that you can
communicate with people who do not know you at all. That is great. But
is also a problem since there is no way to convince them that you are
you, except with the key, which your expiry told them was a bad key.
Post by David E. Ross
The usual procedure is to set a calendar reminder on your computer that
the existing key will expire in a few weeks or a month. When reminded
about the pending expiration, generate a new key-pair and sign the new
public key with the old key before the old key expires.
What you term "expired keys" are actually revoked keys. When generating
a new key-pair, the user has the option to set an expiration date. This
has nothing to do with the private key being compromised; it is merely
the user's practice not to have long-term keys.
--
David E. Ross

The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.
William Unruh
2014-10-22 23:50:18 UTC
Permalink
Post by David E. Ross
Post by William Unruh
Post by David E. Ross
Post by Dave U. Random
My key expired some time ago and I've made a new one. Can I sign
the new key with the old key so that people will see that it's
still me and not some imposter?
No, the expired key cannot be used for anything except to decrypt files
and messages that were encrypted by it before it expired.
Keys are usually expired because it is feared that they may have been
leaked and that enemies know them. That fear may be due to knowledge or
due to the belief that the longer the key is used, the greater the
chance it leaked. Now if the key has leaked, than the other person who
has the private key can send messages, can sign messages, can sign new
keys, and can immitate the owner in any and all ways.
Expiry says :"I do not trust my own private key, and you sure as hell
should not trust it". Thus using it to sign a new key would be silly,
since you yourself have said that someone else could probably do that as
well as you. Ie, your expiry says that the signer could be that imposter
just as well as it could be you.
Now you might say "But I did not expire it because I thought it was
stolen but just because my protocol forced me to". Unfortunately noone
else would be advised to believe that. The person who says that could be
the thief saying that.
The advantage and problem with public key crypto is that you can
communicate with people who do not know you at all. That is great. But
is also a problem since there is no way to convince them that you are
you, except with the key, which your expiry told them was a bad key.
Post by David E. Ross
The usual procedure is to set a calendar reminder on your computer that
the existing key will expire in a few weeks or a month. When reminded
about the pending expiration, generate a new key-pair and sign the new
public key with the old key before the old key expires.
What you term "expired keys" are actually revoked keys. When generating
a new key-pair, the user has the option to set an expiration date. This
has nothing to do with the private key being compromised; it is merely
the user's practice not to have long-term keys.
And the reason that a user does not want long-term keys is because of
the worry that the longer the key is out there the higher the
probability that the key is comprimized. And having the key useable
after auto revoking would make that safeguard pretty useless.
Dave U. Random
2014-10-24 10:19:08 UTC
Permalink
Post by William Unruh
....
Keys are usually expired because it is feared that they may have been
leaked and that enemies know them. That fear may be due to knowledge or
due to the belief that the longer the key is used, the greater the
chance it leaked. Now if the key has leaked, than the other person who
has the private key can send messages, can sign messages, can sign new
keys, and can immitate the owner in any and all ways.
Expiry says :"I do not trust my own private key, and you sure as hell
should not trust it". Thus using it to sign a new key would be silly,
since you yourself have said that someone else could probably do that as
well as you. Ie, your expiry says that the signer could be that imposter
just as well as it could be you.
Now you might say "But I did not expire it because I thought it was
stolen but just because my protocol forced me to". Unfortunately noone
else would be advised to believe that. The person who says that could be
the thief saying that.
The advantage and problem with public key crypto is that you can
communicate with people who do not know you at all. That is great. But
is also a problem since there is no way to convince them that you are
you, except with the key, which your expiry told them was a bad key.
....
Yeah, I screwed up. I will need to do better in the future. Thanks
for your advice.
Anonymous
2014-10-24 11:55:24 UTC
Permalink
Post by David E. Ross
Post by Dave U. Random
My key expired some time ago and I've made a new one. Can I sign
the new key with the old key so that people will see that it's
still me and not some imposter?
No, the expired key cannot be used for anything except to decrypt files
and messages that were encrypted by it before it expired.
The usual procedure is to set a calendar reminder on your computer that
the existing key will expire in a few weeks or a month. When reminded
about the pending expiration, generate a new key-pair and sign the new
public key with the old key before the old key expires.
Okay, thanks for the iformation. I should have been paying better
attention. I wonder if I should just leave the next gpg key as one
that never expires. I know the arguments for expiring them, but
this latest gaff of mine breaks a chain.

Maybe I can come up with some idea that will allow me to have an
expiration date for a key but have that key still be something
that will allow continuity if I let it expire. Or I could try to
get myself to pay better attention to my key expiration date. I
think I'd better concentrate on that first option.
David E. Ross
2014-10-27 00:32:16 UTC
Permalink
Post by Anonymous
Post by David E. Ross
Post by Dave U. Random
My key expired some time ago and I've made a new one. Can I sign
the new key with the old key so that people will see that it's
still me and not some imposter?
No, the expired key cannot be used for anything except to decrypt files
and messages that were encrypted by it before it expired.
The usual procedure is to set a calendar reminder on your computer that
the existing key will expire in a few weeks or a month. When reminded
about the pending expiration, generate a new key-pair and sign the new
public key with the old key before the old key expires.
Okay, thanks for the iformation. I should have been paying better
attention. I wonder if I should just leave the next gpg key as one
that never expires. I know the arguments for expiring them, but
this latest gaff of mine breaks a chain.
Maybe I can come up with some idea that will allow me to have an
expiration date for a key but have that key still be something
that will allow continuity if I let it expire. Or I could try to
get myself to pay better attention to my key expiration date. I
think I'd better concentrate on that first option.
I do not set expiration dates on my keys. However, when I generate a
new key-pair, I create a revocation certificate and save it on an
external medium in case something happens to my PC and I cannot recover
my keys. See
<http://www.spywarewarrior.com/uiuc/ss/revoke/pgp-revoke.htm>.
--
David E. Ross

The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.
Anonymous
2014-10-28 09:25:01 UTC
Permalink
Post by David E. Ross
Post by Anonymous
Post by David E. Ross
Post by Dave U. Random
My key expired some time ago and I've made a new one. Can I sign
the new key with the old key so that people will see that it's
still me and not some imposter?
No, the expired key cannot be used for anything except to decrypt files
and messages that were encrypted by it before it expired.
The usual procedure is to set a calendar reminder on your computer that
the existing key will expire in a few weeks or a month. When reminded
about the pending expiration, generate a new key-pair and sign the new
public key with the old key before the old key expires.
Okay, thanks for the iformation. I should have been paying better
attention. I wonder if I should just leave the next gpg key as one
that never expires. I know the arguments for expiring them, but
this latest gaff of mine breaks a chain.
Maybe I can come up with some idea that will allow me to have an
expiration date for a key but have that key still be something
that will allow continuity if I let it expire. Or I could try to
get myself to pay better attention to my key expiration date. I
think I'd better concentrate on that first option.
I do not set expiration dates on my keys. However, when I generate a
new key-pair, I create a revocation certificate and save it on an
external medium in case something happens to my PC and I cannot recover
my keys. See
<http://www.spywarewarrior.com/uiuc/ss/revoke/pgp-revoke.htm>.
Yeah, I have revocation certificates for each key. I'll probably
start doing the same as you.

Thanks.
Arnold
2014-10-31 00:16:05 UTC
Permalink
Post by Anonymous
Post by David E. Ross
My key expired some time ago and I've made a new one. Can I sign the
new key with the old key so that people will see that it's still me
and not some imposter?
No, not as long you do not update the expiry date.
Post by Anonymous
Post by David E. Ross
No, the expired key cannot be used for anything except to decrypt files
and messages that were encrypted by it before it expired.
Signatures can be checked too.
Post by Anonymous
Post by David E. Ross
The usual procedure is to set a calendar reminder on your computer that
the existing key will expire in a few weeks or a month. When reminded
about the pending expiration, generate a new key-pair
There is no need to generate a new key-pair if you only want to change
the expiry date.
Post by Anonymous
Post by David E. Ross
and sign the new
public key with the old key before the old key expires.
Okay, thanks for the iformation. I should have been paying better
attention.
So you mean it expired, but you did not want it to expire? As long as you
have the private key, you can set a new expiry date. The following link
gives detailed instructions.

http://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/
Post by Anonymous
I wonder if I should just leave the next gpg key as one that
never expires. I know the arguments for expiring them, but this latest
gaff of mine breaks a chain.
Well, I don't know what your arguments are, but these are the two main
reasons:
- If you swithch to a new (stronger key), you can force others to use
that new key. As the old key expires others cannot use it to encrypt data
to you any more.
- You force people to update your key after a given time. That way you
can make sure they refresh your key with the revocation certificate if
you revoked your key. If your key never expires, people using the key may
never notice your key has been revoked...


The expiration date does not protect you in case your private key gets
compromised and you are unable to revoke it. That is because anyone
having your private key can set a new expiry date as shown in the link
above.
Post by Anonymous
Maybe I can come up with some idea that will allow me to have an
expiration date for a key but have that key still be something that
will allow continuity if I let it expire.
If I understand you correctly, updating the expiry date (even of an
expired key) as indicated above is what you want.
Post by Anonymous
Or I could try to get myself
to pay better attention to my key expiration date.
It is good to update your expiration date well in advance. That way
people using your key have a large time frame in which they can refresh
your key. For example, if you set it to expire in two years, do a yearly
update. That way people using your key can pick their own favorite moment
to update their keyring.

Arnold

Loading...