Robot CA at toehold.com

[Michael Nahrath]

Per Tunedal <pt@radvis.nu> schrieb am 2002-12-06 10:08 Uhr:

>>> Or you let the signing key expire (eg after 1 year).
>> 
>> Better to expire the signatures themselves.  If you expire your
>> signing key, then everyone will have to get their key re-signed.
> 
> I agree. Otherwise the CA-service would be useless.

NACK

Do you still posess all mail addresses you had 5 Years ago? Who does?

So what is the use of signing an e-mail address for infinite time?

For the service to be usefull the need to recertify after a period of time
is mandatory.

If it works with expiring signatures as well I am fine about it.

But letting the authority's key expire (not revoke it!) was not a problem
either. 
I have several trust paths in my keyring that depend on expired CA keys and
thy work fine. 

And if a user who relies on a robotCA signature gets the message:
"This signature is more than a year old and thus needs to be updated" it is
a good thing to happen.

Greeting, Michi