[cryptography] Duplicate primes in lots of RSA moduli

Florian Weimer fw at deneb.enyo.de
Thu Feb 16 05:00:32 EST 2012

* Werner Koch:

> On Wed, 15 Feb 2012 23:22, fw at deneb.enyo.de said:
>> implementations seem to interpret it as a hard limit.  The V4 key
>> format has something which the OpenPGP specification calls an
>> "expiration date", but its not really enforceable because it can be
>> stripped by an attacker and extended by someone who has access to the
>> private key, by creating a new self-signature.  In this sense, the
> The first part of your claim is wrong.  The expiration date can't be
> stripped by an attacker because it is bound by a self-signature to the
> key.  The self-signature is mandatory for OpenPGP keys.  In that sense
> it is the same as with the NotAfter date in X.509.

In X.509, certification signatures cover the value of the notAfter
attribute.  If I'm not mistaken, this is true for V3 keys as well.
However, when a V4 key is signed, the certification signature does not
cover the expiration date.  The key holder (legitimate or not) can
therefore arbitrarily extend the key life time, while keeping the key
in the web of trust.

This has advantages and disadvantages, of course.

More information about the cryptography mailing list