You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thunderbird 78.9.1 recently started using rnp_key_valid_till and I'm confused about what it is supposed to be good for.
In rnp.h, there is the following documentation:
/**
* @brief Get the timestamp till which key can be considered as valid.
* Note: this will take into account not only key's expiration, but revocations as well.
* For the subkey primary key's validity time will be also checked.
* @param key key's handle.
* @param result on success timestamp will be stored here. If key doesn't expire then maximum
* value will be stored here. If key was never valid then zero value will be
* stored here.
* @return RNP_SUCCESS or error code on failure.
*/
RNP_API rnp_result_t rnp_key_valid_till(rnp_key_handle_t key, uint32_t *result);
First, it is not clear what "valid" means. For instance, let's consider a revoked key: is it valid for decryption? Of course! Just because I revoke a key doesn't mean that I don't want to read old encrypted messages anymore even if I hard revoke it. A revocation means that people sending me messages shouldn't use it for encryption, and shouldn't trust signatures made by the key after is was soft revoked, or at all if it was hard revoked. So, the context is implicit, which makes it easy to misuse. In fact, Thunderbird does misuse it. Thunderbird 78.9.1 doesn't list keys in the OpenPGP key manager that are not considered "valid" according to this function (*result == 0`).
Second, this function assumes that there is a single span of time where a key is valid. Unfortunately, this is a gross simplification. Let's say I create a certificate on January 1st. Then, it expires on July 1st, and I renew it on July 10th. The certificate is valid from January 1st through July 1st and then again starting on July 10th. What should this function return? In Sequoia, instead of returning when a key is valid, we reverse the question: a user of the API can ask: is this key valid at time t. Since all operations occur at some time t, this appears to be sufficient. See also these tests for some more concrete example. Alternatively, how is an application supposed to use the returned time? Right now, Thunderbird just checks if the result is not 0. In what cases does it make sense for an application to check for a concrete time or range?
The text was updated successfully, but these errors were encountered:
Thunderbird 78.9.1 recently started using
rnp_key_valid_till
and I'm confused about what it is supposed to be good for.In
rnp.h
, there is the following documentation:First, it is not clear what "valid" means. For instance, let's consider a revoked key: is it valid for decryption? Of course! Just because I revoke a key doesn't mean that I don't want to read old encrypted messages anymore even if I hard revoke it. A revocation means that people sending me messages shouldn't use it for encryption, and shouldn't trust signatures made by the key after is was soft revoked, or at all if it was hard revoked. So, the context is implicit, which makes it easy to misuse. In fact, Thunderbird does misuse it. Thunderbird 78.9.1 doesn't list keys in the OpenPGP key manager that are not considered "valid" according to this function (*result == 0`).
Second, this function assumes that there is a single span of time where a key is valid. Unfortunately, this is a gross simplification. Let's say I create a certificate on January 1st. Then, it expires on July 1st, and I renew it on July 10th. The certificate is valid from January 1st through July 1st and then again starting on July 10th. What should this function return? In Sequoia, instead of returning when a key is valid, we reverse the question: a user of the API can ask: is this key valid at time
t
. Since all operations occur at some timet
, this appears to be sufficient. See also these tests for some more concrete example. Alternatively, how is an application supposed to use the returned time? Right now, Thunderbird just checks if the result is not 0. In what cases does it make sense for an application to check for a concrete time or range?The text was updated successfully, but these errors were encountered: