On Aug 28, 2009, at 2:37 AM, Faramir wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
David Shaw escribió:
...
Incidentally, there have been proposals to add forward security
extensions to OpenPGP. See http://www.apache-ssl.org/openpgp-pfs.txt
As a side note, I am not sure I like these proposals...
"Therefore when a public
encryption key expires, an OpenPGP client MUST securely wipe the
corresponding private key [4]."
What if I want to be able to decrypt an old email message? If my
encryption key was compromised, and my messages were sniffed, I get no
advantage in deleting my copy of the key and the messages, the
attacker
has his own copy of them, and surely won't delete them.
The idea of PFS is not one that works for all situations. For those
that do want PFS semantics, the draft merely shows how to do it in the
context of OpenPGP. Nobody is required to do this. It's strictly opt-
in.
Not being able to decrypt an old message when using PFS is a feature,
not a bug.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
