Best practice for periodic key change?
Ingo Klöcker
kloecker at kde.org
Fri May 6 21:48:03 CEST 2011
On Thursday 05 May 2011, Hauke Laging wrote:
> Am Donnerstag, 5. Mai 2011, 11:19:30 schrieb Werner Koch:
> > A
> > period key change is problematic because it confuses those who want
> > to verify the signatures.
> >
> > BTW, the prolongation of the expiration time has showed (by means
> > of a lot of complaining mails) that many folks don't refresh the
> > key from time to time with the goal to retrieve revocation
> > certificates.
>
> What is the difference between these two options with respect to the
> point of confusion?
Unless I'm missing something the difference is as follows:
- With prolongation of the expiration time releases signed before the
prolongation will keep having a valid signature.
- If one creates a new subkey then releases signed with the old expired
subkey(s) will have an invalid signature. One would have to re-sign the
old releases with the new subkey.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110506/9e1a8305/attachment.pgp>
More information about the Gnupg-users
mailing list