Validity period of GPG-keys

Dennis Lambe Jr. malsyned@cif.rochester.edu
Tue May 27 20:01:01 2003


--=-gk8FQLOKFGl9WEtD4nK6
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2003-05-27 at 04:17, Jan Dirnberger wrote:
> I'm working on a school project, including Public Key Infrastrucure (PKI)=
.
> We are instructed to get out how long the validity period of a GPG-key
> should be set in a company or other organisations the info-material we co=
llect
> is for in.
>=20
> First I wanted to advise a unrestricted validity, but then I remembered t=
hat
> organisations or enterprises might have often changing memebers. So I'm c=
aught
> between the devil and the deep blue sea what to advise...

Is it possible for a key signer to revoke it's signature on a key?  This
seems like a natural thing to want to do, but I've never seen it
documented.

I think it might solve this question as well.  You designate a key,
owned by the organization, to be a CA for the organization.  It is used
to sign every member's key, and when a member leaves an organization,
the CA's signature is revoked on that key, indicating that it is no
longer valid.

If everyone syncs to the same keyserver, this appears to me to be a
workable way to acheive Jan's goals.  Is this possible, and if not, is
there a security reason why not, or has it just not been implemented?

--Dennis Lambe

--=-gk8FQLOKFGl9WEtD4nK6
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html

iD8DBQA+06hT+yh/ThbejSgRAk2HAKCKsTnbTSunLEtmt/JhrLRAndcNEwCfcG/I
sH/h5h17w+1EPSepR7kqpgo=
=K93M
-----END PGP SIGNATURE-----

--=-gk8FQLOKFGl9WEtD4nK6--