Extending the key expiration date

Werner Koch wk@gnupg.org
Thu Sep 6 19:10:01 2001


On 06 Sep 2001 17:44:11 +0200, Florian Weimer said:


> CRLs whose length is monotonically increasing are a problem. If there
> is a general consensus that keys are invalid after their expiration,
> it is not necessary to include expired keys in CRLs by default.
However, we don't use CRLs with OpenPGP and a keyserver will never drop a key. I don't see a problem with that. For an important signature you will always check the keyservers for a revocation, so there is not much point in having an expiration time on the primary key, the only true solution is to use one-time public keys.
> An attacker who has obtained access to the private key can do the
> same, and someone else cannot tell the difference.
This is the reason why you should keep an revocation certificate at a secure place. Once the key is revoked there is no more chance for an attacker (modulo distribution problems - but this is the same as with CRLs) -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus