[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] expiration date in machine readable results
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: [Sks-devel] expiration date in machine readable results |
|
Date: |
Thu, 18 Oct 2012 19:39:12 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20121015 Icedove/10.0.9 |
On 10/18/2012 03:08 PM, k clair wrote:
> I've noticed that the search results with the mr option do not return the
> expiration date of a key.
This is a good catch. It looks to me like sks is not publishing
expiration dates of user IDs in particular.
I don't know of a key that has explicit per-key expiration set so i
don't know if that is also an issue.
Key Expiration vs. User ID expiration
--------------------------------------
OpenPGP certificates are structured with (at least) a primary key and
one or more User IDs. When we say a key is "expired", it usually means
that all of its associated user IDs have expired self-signatures.
While the primary key itself can have an expiration date associated with
it [0], the common way for OpenPGP clients (gnupg, in particular) to
represent expiration is to mark the User IDs with an expiration time in
their self-sig [1]. I don't even see a way to set the expiration date
of the primary key directly in gpg.
Expiration of subkeys does not matter here, since subkeys aren't emitted
by this HKP query at al.
is SKS wrong?
-------------
The only public reference for the keyserver protocol suggests [2] that
for machine-readable format:
Note that empty fields are allowed. For example, a key with no
expiration date would have the <expirationdate> field empty. Also,
a keyserver that does not track a particular piece of information
may leave that field empty as well.
But i'm pretty sure SKS is aware of the expiration date of a user ID.
So it seems to me like it should output it.
Looking at the source, i don't think i understand why it isn't being
emitted.
In particular, mRindex.ml declares uid_to_line, which itself derives a
list of (creation, expiration) times from the list of signatures using
ParsePGP.get_times.
get_times in ParsePGP.ml checks the subpacket type against
ssp_exptime_id, which is set to 3 (which is correct, afaict [3]). Is
there maybe something wrong with the use of ~f:max in uid_to_line in
mRindex.ml ?
let (ctime,exptime) =
List.fold_left ~init:(None,None) ~f:max times
i'm afraid i don't know enough ocaml to be able to sort this out myself.
note that the keyserver should not be interested in the maximum
expiration time over *all* self-sigs; it should be interested in the
expiration time of the self-sig with the maximum creation time.
--dkg
[0] https://tools.ietf.org/html/rfc4880#section-5.2.3.6
[1] https://tools.ietf.org/html/rfc4880#section-5.2.3.10
[2] https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-5.2
[3] https://tools.ietf.org/html/rfc4880#page-25
signature.asc
Description: OpenPGP digital signature