Extending the key expiration date
JanuszA.Urbanowicz
JanuszA.Urbanowicz
Thu Sep 6 16:41:01 2001
Florian Weimer wrote/napisał[a]/schrieb:
> "Janusz A. Urbanowicz" <alex@bofh.torun.pl> writes:
> > By definition if an attacker have your secret key, he can do
> > anything. You may call it a flaw in whole pulic key cryptography
> > concept.
>
> This is certainly wrong. For example, the attacker cannot override
> already distributed revocation certificates. Reliable expiration of
> keys is required to be able to cut down the length of certification
> revocation lists for most applications. Otherwise, large-scale CAs
> might become unusable after a few years of operation.
This is done using CRLs and revocations themselves. And it depends on
definition of 'reliable expiration'. The point of expiration is to eliminate
'forgotten' keys and keys with short lifespan on purpose.
If a personal key is not compromised after expiry period, it should be
perfectly legal to reset the expiry date for a next period. This saves a lot
of hassle with key distribution, establishing trust etc.
Alex
--
Janusz A. Urbanowicz | ALEX3-RIPE | SF-Framling | Thawte Web Of Trust Notary
Gdy daję biednym chleb, nazywają mnie świętym. Gdy pytam,
dlaczego biedni nie mają chleba, nazywają mnie komunistą. - abp. Helder Camara