Key lifetime

L. Sassaman
Wed, 14 Jun 2000 20:25:02 -0700 (PDT)

Hash: SHA1

On 13 Jun 2000, Florian Weimer wrote:

> "L. Sassaman" <> writes:
> > > > The longer the lifetime of a key, the more likely the key is to be
> > > > compromised. If you chose to retire a key, be sure to link your new key
> > > > with the old by signing it with the old before the old key expires.
> > >
> > > Does this mean an expired key can still be used for computing trust?
> >
> > Yes. Read RFC 2440 if you're really interested.
> Do you have a quote? I'm quite sure this issue is *not* covered by
> RFC 2440.
OpenPGP specifies the usage of "trust signatures" to specify trust. I believe that Werner mentioned that he was planning on getting rid of the trustdb setup in GnuPG 1.1, and using signatures as a means of calculating trust. In order for the trust calculation to take place, the signature must be valid. So the question really comes down to, "are expired keys valid?" And that *is* covered by the RFC. __ L. Sassaman System Administrator | "If you chose not to decide, Technology Consultant | you still have made a choice" icq.. 10735603 | pgp.. finger:// | --Rush -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5SEyVPYrxsgmsCmoRAkGBAJ9L5aW6ZGCiNjaoedhcCUM7R3CZeACfXbej F7KibvDN/6a28D0Ycvk17gY= =zNs0 -----END PGP SIGNATURE-----