Extending the key expiration date

[Florian Weimer]

Werner Koch <wk@gnupg.org> writes:

> On 06 Sep 2001 17:44:11 +0200, Florian Weimer said:
>
>> CRLs whose length is monotonically increasing are a problem.  If there
>> is a general consensus that keys are invalid after their expiration,
>> it is not necessary to include expired keys in CRLs by default.
>
> However, we don't use CRLs with OpenPGP

Oh, really?  How many OpenPGP CAs are out there which do not offer
CRLs? ;-)

>> An attacker who has obtained access to the private key can do the
>> same, and someone else cannot tell the difference.
>
> This is the reason why you should keep an revocation certificate at a
> secure place.  Once the key is revoked there is no more chance for an
> attacker 

I think I've got to sleep over this issue.  Maybe things look
differently tomorrow. ;-)

> (modulo distribution problems - but this is the same as with CRLs)

Not quite, CRLs are signed by the CA, and you can be sure that you
have the most recent one, and that it contains all relevant
revocations.