Fwd: Re: Best practice for periodic key change?

Grant Olson kgo at grant-olson.net
Sun May 8 22:40:36 CEST 2011


Meant to sent on-list...

-------- Original Message --------
Subject: Re: Best practice for periodic key change?
Date: Sun, 08 May 2011 16:39:34 -0400
From: Grant Olson <kgo at grant-olson.net>
To: Ingo Klöcker <kloecker at kde.org>

On 5/6/11 3:48 PM, Ingo Klöcker wrote:
> On Thursday 05 May 2011, Hauke Laging wrote:
>> What is the difference between these two options with respect to the
>> point of confusion?
> 
> Unless I'm missing something the difference is as follows:
> - With prolongation of the expiration time releases signed before the 
> prolongation will keep having a valid signature.
> - If one creates a new subkey then releases signed with the old expired 
> subkey(s) will have an invalid signature. One would have to re-sign the 
> old releases with the new subkey.
> 

Nope.

The old releases won't have an invalid sig as long as the sig was made
before the expiration date.  Expiring a key now doesn't invalidate a sig
made yesterday.  Gpg will print out a note saying the key is expired,
but it's not as drastic as the error with a post-dated signature.

-- 
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 570 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110508/8560cb4e/attachment.pgp>


More information about the Gnupg-users mailing list