Discussion:
Expired client cert for decrypt?
Tichodroma
2012-11-16 12:44:20 UTC
Permalink
Hi,

can an expired client certificate still be used for decryption?

If not, I'll have to export some encrypted emails before my client
certificate expires.

Regards

Tichodrom
--
This email is signed with a CAcert certificate. https://www.cacert.org/
Please do not send me Microsoft Office/Apple iWork documents.
Send OpenDocument instead! http://fsf.org/campaigns/opendocument/
https://duckduckgo.com/ | http://donttrack.us/ | http://dontbubble.us/
Werner Dworak
2012-11-16 13:46:13 UTC
Permalink
Hello Tichodroma,
can an expired client certificate still be used for decryption? If
not, I'll have to export some encrypted emails before my client
certificate expires.
Yes, with an expired certificate you can can still decrypt mails that
were encrypted with this certificate or verify mails signed with it. But
you can no longer encrypt or sign new mails.

But why do you not renew your certificate, it is very easy.

Another issue is a revoked certificate. With that you cannot do anything
any longer.

Regards, Werner
Mario Lipinski
2012-11-17 01:29:48 UTC
Permalink
Hi,

not sure about all the technical details, and these also may vary from
client implementation.

In this case we have to distinguish between the trust and cryptography.

The trust part includes expiration, revocation etc. They indicate
whether signed information could be trusted. If a signature was made
with an expired or a revoked certificate, the receiver should not trust
the signature.

From the crypto part: We just have private and public keys. So the bits
used for encryption and signing are still good. Means, regardless of
expired or revoked certs, signatures and en/decryption is still possible.

A (private) certificate includes the private and public keys and a
signature by a maybe trusted authority. When renewing, the signature is
renewed. The keys (imho) remain unchanged. So you should be able to use
a renewed certificate also to decrypt older mails (no guarantee that it
works with your client).

From a user perspective: renew your certificate and keep the old
(whether revoked or expired) one to be able to decrypt older mails if
necessary.
Even a revoked certificate may be of use for the owner. E.g. a user may
have received important encrypted mails before. Then, his certificate
gets compromised. The cert is revoked, so it is no longer trusted by
others. But the user may still want to encrypt his older mail.

Mario
Post by Werner Dworak
Hello Tichodroma,
can an expired client certificate still be used for decryption? If
not, I'll have to export some encrypted emails before my client
certificate expires.
Yes, with an expired certificate you can can still decrypt mails that
were encrypted with this certificate or verify mails signed with it. But
you can no longer encrypt or sign new mails.
But why do you not renew your certificate, it is very easy.
Another issue is a revoked certificate. With that you cannot do anything
any longer.
Regards, Werner
--
Mit freundlichen Grüßen / Best regards

Mario Lipinski
Infrastructure Team Leader, E-Mail: mario-xHchwMmBYmcdnm+***@public.gmane.org
Organisation Assurer (Germany), Internet: http://www.cacert.org
Arbitrator / Case Manager
CAcert

Support CAcert: http://www.cacert.org/index.php?id=13
http://wiki.cacert.org/wiki/HelpingCAcert
Carl von Einem
2012-11-16 13:43:55 UTC
Permalink
Hi Tichodrom,

make sure you keep the expired certificate as is (and please don't
forget to generate a new one).

As long as your old certificate isn't revoked it is valid for those
messages that are signed/encrypted with it while the certificate was valid.

Some related information in the wiki I was able to find quickly is here:
http://wiki.cacert.org/DigitalSignature
-> Discussion
-> Revocation of a Signature
"...it is very important to understand the role of "expiration", and the
difference to "revocation". Expiration should mean that it has run out,
and that it cannot be used anymore for new signatures, or new
communication sessions. Digital Signatures that have been made with this
key while it was valid ARE STILL VALID."

Hope that helps,

Carl

- - -
Carl von Einem
CAcert Assurer
Post by Tichodroma
Hi,
can an expired client certificate still be used for decryption?
If not, I'll have to export some encrypted emails before my client
certificate expires.
Regards
Tichodrom
Loading...