Robot CA at toehold.com
Per Tunedal
pt@radvis.nu
Fri Dec 6 14:36:04 2002
At 12:57 2002-12-06 +0100, you wrote:
>Per Tunedal <pt@radvis.nu> schrieb am 2002-12-06 10:08 Uhr:
>
>>>> Or you let the signing key expire (eg after 1 year).
>>>
>>> Better to expire the signatures themselves. If you expire your
>>> signing key, then everyone will have to get their key re-signed.
>>
>> I agree. Otherwise the CA-service would be useless.
>
>NACK
>
>Do you still posess all mail addresses you had 5 Years ago? Who does?
>
>So what is the use of signing an e-mail address for infinite time?
>
>For the service to be usefull the need to recertify after a period of time
>is mandatory.
>
>If it works with expiring signatures as well I am fine about it.
>
>But letting the authority's key expire (not revoke it!) was not a problem
>either.
>I have several trust paths in my keyring that depend on expired CA keys and
>thy work fine.
>
>And if a user who relies on a robotCA signature gets the message:
>"This signature is more than a year old and thus needs to be updated" it is
>a good thing to happen.
>
>Greeting, Michi
Your are right! Besides, X.509-certicates usually will expire in one year.
So it might not be any big fuzz if the signatures from the Robot-CA expires.
Per Tunedal