signatures by a key that has since expired
Adrian 'Dagurashibanipal' von Bidder
Sat Jul 19 17:31:02 2003
Content-Description: signed data
On Saturday 19 July 2003 00:41, Neil Williams wrote:
> 1. How should I handle signatures on my key where the signing key has sin=
> expired? (The key was valid at the time that the keyholder signed my key.)
Well, the OpenPGP 'trust model' really doesn't exist and leaves everything=
open to the interpretation of the users. This is not necessarily good, but=
also it doesn't force you to think what some authors of the standard though=
A key signature confirms an ID check at some point in time. This check has=
been performed, regardless of the expiry of the key that made the signature=
So I guess such signatures should be perfectly valid.
An expiry date on a key signature is probably related to the fact that the =
signature is not really attached to the key holder, but only to his email=20
address. So there needs to be trust that the key holder will be reachable a=
that email address. (OTOH, if you can trust the key holder to keep his secr=
key secret, all that can happen is a few encrypted messages sent to the wro=
address, which isn't really that bad in most cases).
This is totally different from a revoked signature, where the signer makes =
statement that he doesn't trust the key anymore (either because it was=20
compromised, or because the signer suddenly thinks that the key holder has =
To overcome the lack of a defined trust model, I always use a policy url if=
make a signature (key or email) - so you'll always be able to look up exact=
what I meant by making this signature.
> 5. Are signatures made by a key that has since expired removed from the w=
> of trust calculations?
Can't answer you this.
random link of the day: http://fortytwo.ch/sienapei/ileikood
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.5&md5sum=5dff868d11843276071b25eb7006da3e