Extending the key expiration date
Thu Sep 6 19:10:01 2001
On 06 Sep 2001 17:44:11 +0200, Florian Weimer said:
> CRLs whose length is monotonically increasing are a problem. If there
> is a general consensus that keys are invalid after their expiration,
> it is not necessary to include expired keys in CRLs by default.
However, we don't use CRLs with OpenPGP and a keyserver will never drop
a key. I don't see a problem with that. For an important signature
you will always check the keyservers for a revocation, so there is not
much point in having an expiration time on the primary key, the only
true solution is to use one-time public keys.
> An attacker who has obtained access to the private key can do the
> same, and someone else cannot tell the difference.
This is the reason why you should keep an revocation certificate at a
secure place. Once the key is revoked there is no more chance for an
attacker (modulo distribution problems - but this is the same as with CRLs)
Werner Koch Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions -- Augustinus