Key lifetime
L. Sassaman
rabbi@quickie.net
Thu, 8 Jun 2000 13:50:22 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 8 Jun 2000, Stefan H. Holek wrote:
> On Thu, 8 Jun 2000, L. Sassaman wrote:
>
> > The longer the lifetime of a key, the more likely the key is to be
> > compromised. If you chose to retire a key, be sure to link your new key
> > with the old by signing it with the old before the old key expires.
>
> Does this mean an expired key can still be used for computing trust?
Yes. Read RFC 2440 if you're really interested.
> > Note that you can make use of the fact that multiple subkeys are permitted
> > in OpenPGP to address this issue partially: you expire your encryption
> > keys, but keep your signing key the same.
>
> I have also seen people have completely separate signing and encryption
> keys...
That is a rare case.
> But - I could still lose the passphrase for my signing key, or someone
> could find a way to steal my private keyring, or ...
True.
> So, there seems to be no way around re-establishing trust (getting people
> to sign my current (signing-) key) once in a while. Well, maybe this is
> not too bad a thing anyway...
Exactly.
__
L. Sassaman
System Administrator | "It's a nice day
Technology Consultant | to start again."
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi | --Billy Idol
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE5QAcVPYrxsgmsCmoRAneQAKDGTAugVzZ1koqswPlbNim+DHCvCACfe76P
HSt+wtdlJF9z3AeQFBfUeGs=
=qj6k
-----END PGP SIGNATURE-----