signatures by a key that has since expired

Neil Williams
Sat Jul 19 00:40:04 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

1. How should I handle signatures on my key where the signing key has since=
expired? (The key was valid at the time that the keyholder signed my key.)

My key is on most keyservers, so I tried revsig but was only offered=20
self-signatures. (I guessed as much but thought I'd try to make sure before=
someone suggested it!)

2. Is it expected that those people who use keys with limited expiries shou=
take the responsibility for signature maintenance on other keys? If that=20
isn't possible or if it isn't wise to allow me to use revsig on someone=20
else's signature of my own key, should there be / is there some way of=20
filtering out signatures made by keys that have expired?=20

3. Could --check-sigs illustrate this in a similar was to revoked signature=

4. What is the general consensus on the validity/trustworthiness of expired=
key signatures? (after all, the signature itself is still valid.)=20
What is the consensus on validity etc. of the expired key itself?
Why are expiry dates used and what is supposed to happen when the key does=

5. Are signatures made by a key that has since expired removed from the web=
trust calculations?

I tend to delete expired keys from my keyring along with revoked keys as pa=
of a general maintenance routine as the keyring tends to get a little large=
at times.=20

I have little chance of meeting the keyholder concerned due to unrelated=20


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)