Key lifetime

L. Sassaman rabbi@quickie.net
Thu, 8 Jun 2000 13:50:22 -0700 (PDT)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 8 Jun 2000, Stefan H. Holek wrote:


> On Thu, 8 Jun 2000, L. Sassaman wrote:
>
> > The longer the lifetime of a key, the more likely the key is to be
> > compromised. If you chose to retire a key, be sure to link your new key
> > with the old by signing it with the old before the old key expires.
>
> Does this mean an expired key can still be used for computing trust?
Yes. Read RFC 2440 if you're really interested.
> > Note that you can make use of the fact that multiple subkeys are permitted
> > in OpenPGP to address this issue partially: you expire your encryption
> > keys, but keep your signing key the same.
>
> I have also seen people have completely separate signing and encryption
> keys...
That is a rare case.
> But - I could still lose the passphrase for my signing key, or someone
> could find a way to steal my private keyring, or ...
True.
> So, there seems to be no way around re-establishing trust (getting people
> to sign my current (signing-) key) once in a while. Well, maybe this is
> not too bad a thing anyway...
Exactly. __ L. Sassaman System Administrator | "It's a nice day Technology Consultant | to start again." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Billy Idol -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5QAcVPYrxsgmsCmoRAneQAKDGTAugVzZ1koqswPlbNim+DHCvCACfe76P HSt+wtdlJF9z3AeQFBfUeGs= =qj6k -----END PGP SIGNATURE-----