Wed, 14 Jun 2000 20:25:02 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
On 13 Jun 2000, Florian Weimer wrote:
> "L. Sassaman" <email@example.com> writes:
> > > > The longer the lifetime of a key, the more likely the key is to be
> > > > compromised. If you chose to retire a key, be sure to link your new key
> > > > with the old by signing it with the old before the old key expires.
> > >
> > > Does this mean an expired key can still be used for computing trust?
> > Yes. Read RFC 2440 if you're really interested.
> Do you have a quote? I'm quite sure this issue is *not* covered by
> RFC 2440.
OpenPGP specifies the usage of "trust signatures" to specify trust. I
believe that Werner mentioned that he was planning on getting rid of the
trustdb setup in GnuPG 1.1, and using signatures as a means of calculating
In order for the trust calculation to take place, the signature must be
So the question really comes down to, "are expired keys valid?" And that
*is* covered by the RFC.
System Administrator | "If you chose not to decide,
Technology Consultant | you still have made a choice"
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi | --Rush
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
-----END PGP SIGNATURE-----