How long can you go with an expired key?

older
Hot repl1ca w4tches from 2008

J.A. Terranson

25 Feb 2008 25 Feb '08

2:30 a.m.

At the end of 2004, my annual key expiration event was allowed to pass without genning a new key: nobody had sent me encrypted mail in ages [years], and being the prick that I am, I started a little game instead. I left the expired key on the .sig, and started the clock to see how long it would take for someone to notice. January 1, 2005 through February 25, 2008: about 3 years. I had fully expected a CP to be the lucky contestent, but alas, Cpunks dont bother with key management anymore - heck, we dont even bother with distributed email anymore AFAIK. Alas, the alert correspondent was a commercial software vendor who makes little widgets. I had made an inquiry about a mass purchase, and they noticed the [now profoundly] expired key, and decided to Do The Right Thing and encrypt. Only they couldn't, as the key was deader than dead: it was "Tim May Someone Needs Killing Dead". And, even better, they were nice enough to point it out, assuming I was unaware. I am BCC'ing this post to said vendor: you really did do The Right Thing, and I applaud you for it! That you are the only one to notice is, I hope, a sign of the attention to detail I will find in your widgets. So, CP Distributed Lists are dead. The list, singular is tottering, and has been for years, and now, I think I can proclaim Encryption Everywhere as Dead On Arrival. Even for so called crypto people. Tis a sad day in Eurasia folks. //Alif -- Yours, J.A. Terranson sysadmin_at_mfn.org 0xpgp_key_mgmt_is_broken-dont_bother What religion, please tell me, tells you as a follower of that religion to occupy another country and kill its people? Please tell me. Does Christianity tell its followers to do that? Judaism, for that matter? Islam, for that matter? What prophet tells you to send 160,000 troops to another country, kill men, women, and children? You just can't wear your religion on your sleeve or just go to church. You should be truthfully religious. Mahmoud Ahmadinejad

Show replies by date

Len Sassaman

25 Feb 25 Feb

2:36 a.m.

I think most of us use OTR now for communication we really care about being private. What you're seeing is more likely the impending death of email. (Though, for the lack of concern for PGP key lifetimes/validity/use/etc., you might have a look at my LISA 2003 talk -- it's got some great quotes in there from the cypherpunks and even one of the RFC 2440 authors about the usability of PGP. That's not to say usability hasn't improved in the last five years -- but it's more focused on enterprise systems -- so I'm not surprised your "winner" was a commercial vendor.) And the cypherpunks? That community has been dead for years. Y'all just didn't get the memo. ;) --Len. On Sun, 24 Feb 2008, J.A. Terranson wrote:

...

At the end of 2004, my annual key expiration event was allowed to pass without genning a new key: nobody had sent me encrypted mail in ages [years], and being the prick that I am, I started a little game instead.

I left the expired key on the .sig, and started the clock to see how long it would take for someone to notice. January 1, 2005 through February 25, 2008: about 3 years.

I had fully expected a CP to be the lucky contestent, but alas, Cpunks dont bother with key management anymore - heck, we dont even bother with distributed email anymore AFAIK. Alas, the alert correspondent was a commercial software vendor who makes little widgets. I had made an inquiry about a mass purchase, and they noticed the [now profoundly] expired key, and decided to Do The Right Thing and encrypt. Only they couldn't, as the key was deader than dead: it was "Tim May Someone Needs Killing Dead". And, even better, they were nice enough to point it out, assuming I was unaware. I am BCC'ing this post to said vendor: you really did do The Right Thing, and I applaud you for it! That you are the only one to notice is, I hope, a sign of the attention to detail I will find in your widgets.

So, CP Distributed Lists are dead. The list, singular is tottering, and has been for years, and now, I think I can proclaim Encryption Everywhere as Dead On Arrival. Even for so called crypto people. Tis a sad day in Eurasia folks.

//Alif

-- Yours, J.A. Terranson sysadmin_at_mfn.org 0xpgp_key_mgmt_is_broken-dont_bother

What religion, please tell me, tells you as a follower of that religion to occupy another country and kill its people? Please tell me. Does Christianity tell its followers to do that? Judaism, for that matter? Islam, for that matter? What prophet tells you to send 160,000 troops to another country, kill men, women, and children? You just can't wear your religion on your sleeve or just go to church. You should be truthfully religious.

Mahmoud Ahmadinejad

--Len.

Bill Stewart

26 Feb 26 Feb

2:33 a.m.

At 11:36 PM 2/24/2008, Len Sassaman wrote:

...

I think most of us use OTR now for communication we really care about being private.

When I've looked at OTR, it's basically an instant messaging client; has anybody adapted it to carry email or other applications?

...

What you're seeing is more likely the impending death of email.

I'd describe it much more as "the death of PGP support for email". When my laptop got stolen a couple of years ago, I did the right thing and genned up new keys, and installed current versions of PGP (the free-beer version of the commercial product) (and its Eudora plugin.) A few months later the PGP expired, and since I hadn't been sending encrypted email to anybody in a while, I'd forgotten the new long-enough-for-21st-century passphrase (:-), so I haven't been able to revoke the keys sitting out on the keyserver. Periodically Hugh bitches at me about not sending/accepting encrypted email, and I suppose I should just install GPG, using cut&paste instead of the friendly email plugin, since not only is PGP no longer supporting non-corporate users much, but Qualcomm has stopped supporting Eudora. Meanwhile, at work, MS Outlook has a reasonably friendly interface for sending encrypted and/or signed email, at least to coworkers, and I can't use it because our internal certificate authority can't generate a certificate for "billstewart@att.com", though it's happy to generate one for "ws5832@att.com", an internal address I have no intention of sending to any humans.

...

And the cypherpunks? That community has been dead for years. Y'all just didn't get the memo. ;)

On the other hand, the P2P-punks community is burning something like 30-50% of the bandwidth on the internet. And that IPSEC technology that was a cutting-edge civil rights issue in the 90s has become a routine commodity; it's how I've commuted to work for a decade or so.

Eugen Leitl

25 Feb 25 Feb

3 a.m.

On Sun, Feb 24, 2008 at 07:30:54PM -0600, J.A. Terranson wrote:

...

At the end of 2004, my annual key expiration event was allowed to pass without genning a new key: nobody had sent me encrypted mail in ages [years], and being the prick that I am, I started a little game instead.

So nobody sends you encrypted mail.

...

I left the expired key on the .sig, and started the clock to see how long it would take for someone to notice. January 1, 2005 through February 25, 2008: about 3 years.

So nobody sends you encrypted mail.

...

I had fully expected a CP to be the lucky contestent, but alas, Cpunks

I don't know where cypherpunks are, they're for sure no longer on this list.

...

dont bother with key management anymore - heck, we dont even bother with distributed email anymore AFAIK. Alas, the alert correspondent was

Hey, you only now notice anonymous remailers have been dead for some half decade?

...

a commercial software vendor who makes little widgets. I had made an inquiry about a mass purchase, and they noticed the [now profoundly] expired key, and decided to Do The Right Thing and encrypt. Only they couldn't, as the key was deader than dead: it was "Tim May Someone Needs Killing Dead". And, even better, they were nice enough to point it out, assuming I was unaware. I am BCC'ing this post to said vendor: you really did do The Right Thing, and I applaud you for it! That you are the only one to notice is, I hope, a sign of the attention to detail I will find in your widgets.

So, CP Distributed Lists are dead. The list, singular is tottering, and has been for years, and now, I think I can proclaim Encryption Everywhere

O'Rly? Received: from proton.jfet.org (proton.jfet.org [69.60.117.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "sp2734", Issuer "sp2734" (not verified)) by v64.ativel.com (Postfix) with ESMTP id 372521364084

...

as Dead On Arrival. Even for so called crypto people. Tis a sad day in Eurasia folks.

FWIW, I still get encrypted mail, about one/month, or so. -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

Len Sassaman

4:32 a.m.

On Mon, 25 Feb 2008, Eugen Leitl wrote:

...

Hey, you only now notice anonymous remailers have been dead for some half decade?

Oh? That's news to the remailers: http://stats.melontraffickers.com/

John Young

4:39 a.m.

Encrypted email continues to be often used around some places. And encrypted files for transmittal is common, too. Sometimes for online transmittal, other times for sending by offline means. Probably what is happening is that those using encryption do not advertise it as much as in earlier days, not least because of the ease with which it calls attention to users for traffic analysis by those who are happy the fools don't know what they reveal. And the more popluar encryption programs have no doubt been compromised -- that is what "enterprise" means: to lure or entrap crypto users into overly trusting supposedly secure encryption for easy snooping on employees and citizens. No serious info sec lover will use a single means for privacy. And will always beware of absolutely trustworthy anything. That is a mantra here. Turncoats abound, cpunks no different than anyone in succumbing to contracts, bribery, threats, compromise, jealousy, hatred, bitterness, and the rest of excuses shits give themselves for screwing those who counted on others being more stupid than they are. Recall that only a small number of cpunks ever posted to the list, and that remains the case. And quite a few of those posted to stimulate confessions and revealing info sec disclosures. Still not clear if public crypto was a masterful hoodwink, but likely is, perfectly fitting the internet's astonishing success at inducing millions to blab and brag and believe a new era had arrived, privacy protected by mathematics and open testing, not wanting to believe the mathematicians and testers got to make a living doing what has to be done to keep the whining family happy, burp, ahem, ROTFL, etc. Duplicity is inate, the boyos argue and have faith in, to justify their rigging the info sec game. At 09:00 AM 2/25/2008 +0100, Eugen Leitl wrote:

...

On Sun, Feb 24, 2008 at 07:30:54PM -0600, J.A. Terranson wrote:

...
At the end of 2004, my annual key expiration event was allowed to pass without genning a new key: nobody had sent me encrypted mail in ages [years], and being the prick that I am, I started a little game instead.

So nobody sends you encrypted mail.

...
I left the expired key on the .sig, and started the clock to see how long it would take for someone to notice. January 1, 2005 through February 25, 2008: about 3 years.

So nobody sends you encrypted mail.

...
I had fully expected a CP to be the lucky contestent, but alas, Cpunks

I don't know where cypherpunks are, they're for sure no longer on this list.

...
dont bother with key management anymore - heck, we dont even bother with distributed email anymore AFAIK. Alas, the alert correspondent was

Hey, you only now notice anonymous remailers have been dead for some half decade?

...
a commercial software vendor who makes little widgets. I had made an inquiry about a mass purchase, and they noticed the [now profoundly] expired key, and decided to Do The Right Thing and encrypt. Only they couldn't, as the key was deader than dead: it was "Tim May Someone Needs Killing Dead". And, even better, they were nice enough to point it out, assuming I was unaware. I am BCC'ing this post to said vendor: you really did do The Right Thing, and I applaud you for it! That you are the only one to notice is, I hope, a sign of the attention to detail I will find in your widgets.

So, CP Distributed Lists are dead. The list, singular is tottering, and has been for years, and now, I think I can proclaim Encryption Everywhere

O'Rly?

Received: from proton.jfet.org (proton.jfet.org [69.60.117.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "sp2734", Issuer "sp2734" (not verified)) by v64.ativel.com (Postfix) with ESMTP id 372521364084

...
as Dead On Arrival. Even for so called crypto people. Tis a sad day in Eurasia folks.

FWIW, I still get encrypted mail, about one/month, or so.

-- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

coderman

6:14 a.m.

On Mon, Feb 25, 2008 at 1:38 AM, John Young wrote:

...

Encrypted email continues to be often used around some places.

the usability is poor, compared to things like off the record [0] and opportunistic keying, etc. while i use encrypted mail daily in a professional context, i never use it in a personal one. sooner or later the dinosaurs will drop it too.

...

Turncoats abound, cpunks no different than anyone in succumbing to contracts, bribery, threats, compromise, jealousy, hatred, bitterness, and the rest of excuses shits give themselves for screwing those who counted on others being more stupid than they are.

it always tastes best when you cook it yourself. (or at least, have looked at the recipe and confirmed no cyanide or arsenic was intentionally added *g* [this, is my one complaint about OTR, building from source into a useful client can be tedious compared to other methods...]

...

Recall that only a small number of cpunks ever posted to the list, and that remains the case. And quite a few of those posted to stimulate confessions and revealing info sec disclosures.

"you're being a bit brief, please go into detail" :) 0. oh the hoops i had to jump to import an old otr 2.x key in gaim to otr3.0.x in pidgin. the friends list is also an interesting study in use and frequency of re-key; while i can no longer recall when A59CDCB3 46468A16 27D21678 270AF0B5 0B0477CF was originally generated others appear to cycle as frequently as weekly or so. interesting how the same tool can span the key management spectrum from anonymous opportunistic to strong mutually authenticated.

Tyler Durden

29 Feb 29 Feb

5:52 p.m.

Coderman wrote...

...

Encrypted email continues to be often used around some places. I completely disagree with what is apparently the prevailing notion on this 'dead' list.

Encrypted email is ramping upward rapidly, in the form of big business and the need for their Excos to protect news of mergers/acquisitions/'unexpected' losses and so on. Oh, and don't forget all of the mundane traffic including account numbers and so on. And St May for the 'glorious' hackers: Without their proliferation there'd be less motivation for enterprises to encrypt. Now the real question I have is whether this helps the little guy in any way, because the IP addresses of encrypted packets are themselves not encrypted, so that it's easy for NSA eavesdroppers to throw away the much less interesting enterprise traffic. But I have little doubt that we're slowing approaching the knee in the hockeystick in terms of encrypted traffic. -TD _________________________________________________________________ Helping your favorite cause is as easy as instant messaging. You IM, we give. http://im.live.com/Messenger/IM/Home/?source=text_hotmail_join

coderman

6:43 p.m.

On Fri, Feb 29, 2008 at 2:51 PM, Tyler Durden wrote:

...

... Encrypted email is ramping upward rapidly, in the form of big business and the need for their Excos to protect news of mergers/acquisitions/'unexpected' losses and so on.

i see encrypted laptops and services fitting this bill, but i haven't seen a ramp up of encrypted mail in this role. perhaps i'm just not looking in the right places. [i didn't mean to dis encrypted mail quite as much as my previous comments appear to in hindsight. it certainly serves a purpose and is used often in business. but this is the only domain where i see it used much at all, and even then, VPN's and SSL/TLS services are overtaking many of the roles encrypted email used to fulfill. just my experience, and admittedly limited experience...]

...

Oh, and don't forget all of the mundane traffic including account numbers and so on. And St May for the 'glorious' hackers: Without their proliferation there'd be less motivation for enterprises to encrypt.

enterprises are definitely encrypting. FDE and VPN's and SSL/TLS services growing much more than encrypted email IMHO. i'd be curious to know how much of this is due to actual hacker threats, vs. data spills and regulatory / industry standards compliance pressures.

...

Now the real question I have is whether this helps the little guy in any way, because the IP addresses of encrypted packets are themselves not encrypted, so that it's easy for NSA eavesdroppers to throw away the much less interesting enterprise traffic.

pen registers for the intarwebs and social network analysis. they get most of what they want just watching those opaque bits move around...

...

But I have little doubt that we're slowing approaching the knee in the hockeystick in terms of encrypted traffic.

i think encrypted torrents are the largest source of encrypted traffic on the net. this is purely speculation though; i'd love to see numbers. (encrypted torrents, easy. encrypted mail, still too hard...) best regards,

Peter Thoenen

8:51 p.m.

coderman wrote:

...

On Fri, Feb 29, 2008 at 2:51 PM, Tyler Durden wrote:

...
... Encrypted email is ramping upward rapidly, in the form of big business and the need for their Excos to protect news of mergers/acquisitions/'unexpected' losses and so on.

i see encrypted laptops and services fitting this bill, but i haven't seen a ramp up of encrypted mail in this role. perhaps i'm just not looking in the right places.

Personally I haven't seen this in the commercial world but on the government side (at least NASA and DOD, heard DHS and DOE also but can't confirm them) they pushed organization wide PKI smark card initiatives (DOD CAC and NASA HSPD12) which by default encrypt and sign all emails to allow sensitive data to transverse public networks without snooping or alteration. Now we can argue how effective it is or how many folk disable it BUT thats a different issue (e.g. its more in use in non-DOD agencies than DOD and disabled less regularly in the finance and personal shops than combat arms)

coderman

25 Feb 25 Feb

8:13 a.m.

On Sun, Feb 24, 2008 at 5:30 PM, J.A. Terranson wrote:

...

... I left the expired key on the .sig, and started the clock to see how long it would take for someone to notice.

relying on an active reply / notification to you to determine "notice" is flawed, "notice" can be passive :) [besides, much more disconcerting than a long used key expiring, is a fraudulent key or long deprecated key (rollback) being used, or other such indicators more worthy of an active "heads up" response or just extreme scrutiny...]

...

So, CP Distributed Lists are dead.

dead is such a relative term... :P

6047

Age (days ago)

6051

Last active (days ago)

List overview

Download

10 comments

8 participants

participants (8)

Bill Stewart
coderman
Eugen Leitl
J.A. Terranson
John Young
Len Sassaman
Peter Thoenen
Tyler Durden