signatures by a key that has since expired

Neil Williams linux@codehelp.co.uk
Sat Jul 19 00:40:04 2003


--Boundary-02=_yeHG/etUqgrcCpB
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

1. How should I handle signatures on my key where the signing key has since=
=20
expired? (The key was valid at the time that the keyholder signed my key.)

My key is on most keyservers, so I tried revsig but was only offered=20
self-signatures. (I guessed as much but thought I'd try to make sure before=
=20
someone suggested it!)

2. Is it expected that those people who use keys with limited expiries shou=
ld=20
take the responsibility for signature maintenance on other keys? If that=20
isn't possible or if it isn't wise to allow me to use revsig on someone=20
else's signature of my own key, should there be / is there some way of=20
filtering out signatures made by keys that have expired?=20

3. Could --check-sigs illustrate this in a similar was to revoked signature=
s?

4. What is the general consensus on the validity/trustworthiness of expired=
=20
key signatures? (after all, the signature itself is still valid.)=20
What is the consensus on validity etc. of the expired key itself?
Why are expiry dates used and what is supposed to happen when the key does=
=20
expire?

5. Are signatures made by a key that has since expired removed from the web=
 of=20
trust calculations?

I tend to delete expired keys from my keyring along with revoked keys as pa=
rt=20
of a general maintenance routine as the keyring tends to get a little large=
=20
at times.=20

I have little chance of meeting the keyholder concerned due to unrelated=20
circumstances.


=2D-=20

Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.wewantbroadband.co.uk/


--Boundary-02=_yeHG/etUqgrcCpB
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/GHeyiAEJSii8s+MRAjZrAKDcf85zClYyATrHGFL6OM+Ud94yfQCcC6EX
vbij+Y3+rVDEUpAJRyYjfqA=
=DlAg
-----END PGP SIGNATURE-----

--Boundary-02=_yeHG/etUqgrcCpB--