Best practice for periodic key change?
jerome at jeromebaum.com
Sat May 7 13:59:42 CEST 2011
On Sat, May 7, 2011 at 04:33, Grant Olson <kgo at grant-olson.net> wrote:
> On 5/6/2011 10:05 PM, Hauke Laging wrote:
> > Several people have mentioned that a signature does not become invalid by
> > expiration of the key. That is formally correct an describes the GnuPG
> > behaviour. But with regard to content in such a case there has to be an
> > additional proof that the signature has been made before the key expired.
> > is a formal rule in e.g. the German signature law. If you want to use
> > accepted signatures for proving documents then you have to sign both the
> > document and the old signature by a new key (i.e. one with a later
> > date) before the old key expires.
> I know nothing about German laws, but that just doesn't sound right to me.
> 1) I digitally sign a document saying I owe you money. The signing key
> has an expiration date.
> 2) Key expires. I do nothing.
> 3) The original document is invalidated. I no longer owe you money?
Do realize that it is necessary to resign from a practical standpoint (while
I don't agree about the implication to a signature from an expired sub-key,
yes you can set back your system clock), plus it's not the document that
makes you owe me money. You owe me the money and the document only testifies
email jerome at jeromebaum.com
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users