Extending the key expiration date

JanuszA.Urbanowicz JanuszA.Urbanowicz
Thu Sep 6 16:41:01 2001

Florian Weimer wrote/napisał[a]/schrieb:

> "Janusz A. Urbanowicz" <alex@bofh.torun.pl> writes:
> > By definition if an attacker have your secret key, he can do
> > anything. You may call it a flaw in whole pulic key cryptography
> > concept.
> This is certainly wrong. For example, the attacker cannot override
> already distributed revocation certificates. Reliable expiration of
> keys is required to be able to cut down the length of certification
> revocation lists for most applications. Otherwise, large-scale CAs
> might become unusable after a few years of operation.
This is done using CRLs and revocations themselves. And it depends on definition of 'reliable expiration'. The point of expiration is to eliminate 'forgotten' keys and keys with short lifespan on purpose. If a personal key is not compromised after expiry period, it should be perfectly legal to reset the expiry date for a next period. This saves a lot of hassle with key distribution, establishing trust etc. Alex -- Janusz A. Urbanowicz | ALEX3-RIPE | SF-Framling | Thawte Web Of Trust Notary Gdy daję biednym chleb, nazywają mnie świętym. Gdy pytam, dlaczego biedni nie mają chleba, nazywają mnie komunistą. - abp. Helder Camara