Bug 339087

Summary: you cannot encrypt to an expired OpenPGP certificate
Product: [Applications] kmail2 Reporter: Hauke Laging <hauke>
Component: cryptoAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED UPSTREAM    
Severity: wishlist CC: kdenis, kolAflash
Priority: NOR    
Version: 5.1.3   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:

Description Hauke Laging 2014-09-15 00:33:29 UTC 
KMail does not allow to encrypt to expired certificates. It is OK to warn about that (and would be a failure not to do so) but not allowing to encrypt to this key is a severe security failure because it does not make any sense and forces the user to use a different key (if available, usually not) or to send the mail unencrypted.

This is similar to the old (meanwhile solved) problem that you could not encrypt to non-valid keys. Of course, encrypting to a non-valid (i.e. never has been valid) key is much more severe that encrypting to an expired one which a purely formal problem not a technical one.

Reproducible: Always

Steps to Reproduce:
1. Let a certificate expire.
2. Try to send a mail encrypted to this certificate.


Actual Results:  
Email cannot be sent.

Expected Results:  
Warning which can be overridden.
Comment 1 Hauke Laging 2014-09-16 00:03:20 UTC 
I have to "suspend" this bug report as it turned out that this is a problem of the underlying GnuPG (at least gpg) which currently does not allow this. Maybe this will be changed in future versions.

But I don't know whether this problem affects gpgme, though.

http://lists.gnupg.org/pipermail/gnupg-users/2014-September/050850.html

There is no concensus in the community what is the right behaviour.
Comment 2 kolAflash 2016-09-25 22:10:24 UTC 
Still valid for KMail 5.1.3 (KDE Frameworks 5.21.0 on openSUSE 42.1)

Related: https://bugs.kde.org/show_bug.cgi?id=369358
Comment 3 kolAflash 2016-09-25 22:41:22 UTC 
Another attempt to get this fixed.
https://bugs.gnupg.org/gnupg/issue2703
Comment 4 Denis Kurz 2017-01-18 18:56:57 UTC 
You already came to the conclusion that this is a limitation of the underlying gnupg, so I close this bug as UPSTREAM.