Extending the key expiration date
Werner Koch
wk@gnupg.org
Thu Sep 6 19:10:01 2001
On 06 Sep 2001 17:44:11 +0200, Florian Weimer said:
> CRLs whose length is monotonically increasing are a problem. If there
> is a general consensus that keys are invalid after their expiration,
> it is not necessary to include expired keys in CRLs by default.
However, we don't use CRLs with OpenPGP and a keyserver will never drop
a key. I don't see a problem with that. For an important signature
you will always check the keyservers for a revocation, so there is not
much point in having an expiration time on the primary key, the only
true solution is to use one-time public keys.
> An attacker who has obtained access to the private key can do the
> same, and someone else cannot tell the difference.
This is the reason why you should keep an revocation certificate at a
secure place. Once the key is revoked there is no more chance for an
attacker (modulo distribution problems - but this is the same as with CRLs)
--
Werner Koch Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions -- Augustinus