dealing with signature expiration?
RFC 9580 §5.3.2.18 (and prior RFCs as well) define a "signature expiration time" subpacket.
I don't think i fully understand the semantics of the subpacket. Note that it is distinct from the key expiration time subpacket.
For example, for such an expiration subpacket in a data signature, how should it interact with, say, sop verify or sop inline-verify? Should it be related to --not-before and --not-after somehow?
For another example, what if the expiration subpacket is present in a User ID certification? Can we specify what sop validate-userid should do?
Should there be a way to tell sop to emit such a subpacket in any of the commands that generate OpenPGP signatures? For example, should we offer an --expiration=DATE option for sop certify-userid ? Should we offer it for sop sign or sop inline-sign?
I don't know that i've ever seen such a subpacket in a data signature in the wild. I have, however, seen it in certification signatures.
Other OpenPGP implementations:
- GnuPG offers
--default-sig-expireand--ask-sig-expire(presumably for this subpacket in data signatures) and--default-cert-expireand--ask-cert-expire(presumably for this subpacket in certifications).