Key lifetime
L. Sassaman
rabbi@quickie.net
Wed, 14 Jun 2000 20:25:02 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 13 Jun 2000, Florian Weimer wrote:
> "L. Sassaman" <rabbi@quickie.net> writes:
>
> > > > The longer the lifetime of a key, the more likely the key is to be
> > > > compromised. If you chose to retire a key, be sure to link your new key
> > > > with the old by signing it with the old before the old key expires.
> > >
> > > Does this mean an expired key can still be used for computing trust?
> >
> > Yes. Read RFC 2440 if you're really interested.
>
> Do you have a quote? I'm quite sure this issue is *not* covered by
> RFC 2440.
OpenPGP specifies the usage of "trust signatures" to specify trust. I
believe that Werner mentioned that he was planning on getting rid of the
trustdb setup in GnuPG 1.1, and using signatures as a means of calculating
trust.
In order for the trust calculation to take place, the signature must be
valid.
So the question really comes down to, "are expired keys valid?" And that
*is* covered by the RFC.
__
L. Sassaman
System Administrator | "If you chose not to decide,
Technology Consultant | you still have made a choice"
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi | --Rush
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE5SEyVPYrxsgmsCmoRAkGBAJ9L5aW6ZGCiNjaoedhcCUM7R3CZeACfXbej
F7KibvDN/6a28D0Ycvk17gY=
=zNs0
-----END PGP SIGNATURE-----