Best practice for periodic key change?

Hauke Laging mailinglisten at
Sat May 7 13:54:16 CEST 2011

Am Samstag, 7. Mai 2011, 04:33:17 schrieb Grant Olson:

> 1) I digitally sign a document saying I owe you money.  The signing key
> has an expiration date.
> 2) Key expires.  I do nothing.
> 3) The original document is invalidated.  I no longer owe you money?

Whether you owe me money does not depend on signing any documents in general. 
:-)  Documents are usually just a proof.

You can still claim that somebody owes you money but the document does not 
have the same legal value. What courts decide is another question...

But the fiscal authorities don't accept digital bills (probably the most 
frequent use of legally qualified signatures here) which are signed by expired 
keys only. You need a chain of signatures which prove that there was a non-
expired signature at any point in time.

For the same reason it makes sense to have digitally signed documents signed 
by another key (not just the document but the document together with the 
signature) at once when you get them. Because you cannot know whether and if a 
key will be revoked in the future. The moment it is revoked and you cannot 
prove the signatures being older than the revoke all signatures are dead.

PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110507/92488b87/attachment.pgp>

More information about the Gnupg-users mailing list