Reconsider the validity of signatures

Let's say Alice creates a certificate at time t0. At t1 she signs a message. Then at t2, she issues a new binding signature (perhaps extending the certificate's expiration). If Alice exports her certificate with only the latest binding signature (as gpg --export-options export-minimal --export does), then the signature will not be considered valid, because the signatures's creation time does not overlap with the binding signature's lifetime.

This was a serious problem for users of rpm, and I consequently added a workaround to rpm-sequoia to deal with it.

The Qubes developers also encountered this issue when using the WoT with minimized certificates.

A possible solution is to observe that a backsig is over the primary key and the subkey. Therefore the maximum of the primary key's key creation time and the subkey's key creation time are authenticated by the backsig, and, chaining back, by the binding signature. Therefore, we could use the maximum of the primary key's key creation and the subkey's key creation time as the start of the validity period instead of the binding signature's creation time.

Potential issues:

• This approach may authenticate signatures that were made when there was never a valid binding signature.

• If the binding signature that was valid as of signature's creation time had different properties, e.g., key flags, from the old binding signature, then the presence of the old binding signature would change the judgment from authenticated to not authenticated. As a general rule of thumb, I think if an attacker withholds information, they should not be able to change a negative judgment to a positive judgment. (The main exception being revocation certificates.) On the other hand, users don't normally change these properties.