Extending the key expiration date

Florian Weimer fw@deneb.enyo.de
Thu Sep 6 23:03:02 2001


Werner Koch <wk@gnupg.org> writes:


> On 06 Sep 2001 17:44:11 +0200, Florian Weimer said:
>
>> CRLs whose length is monotonically increasing are a problem. If there
>> is a general consensus that keys are invalid after their expiration,
>> it is not necessary to include expired keys in CRLs by default.
>
> However, we don't use CRLs with OpenPGP
Oh, really? How many OpenPGP CAs are out there which do not offer CRLs? ;-)
>> An attacker who has obtained access to the private key can do the
>> same, and someone else cannot tell the difference.
>
> This is the reason why you should keep an revocation certificate at a
> secure place. Once the key is revoked there is no more chance for an
> attacker
I think I've got to sleep over this issue. Maybe things look differently tomorrow. ;-)
> (modulo distribution problems - but this is the same as with CRLs)
Not quite, CRLs are signed by the CA, and you can be sure that you have the most recent one, and that it contains all relevant revocations.