Best practice for periodic key change?
Jerome Baum
jerome at jeromebaum.com
Sat May 7 13:59:42 CEST 2011
On Sat, May 7, 2011 at 04:33, Grant Olson <kgo at grant-olson.net> wrote:
> On 5/6/2011 10:05 PM, Hauke Laging wrote:
> >
> > Several people have mentioned that a signature does not become invalid by
> > expiration of the key. That is formally correct an describes the GnuPG
> > behaviour. But with regard to content in such a case there has to be an
> > additional proof that the signature has been made before the key expired.
> This
> > is a formal rule in e.g. the German signature law. If you want to use
> legally
> > accepted signatures for proving documents then you have to sign both the
> > document and the old signature by a new key (i.e. one with a later
> expiration
> > date) before the old key expires.
> >
>
> I know nothing about German laws, but that just doesn't sound right to me.
>
> 1) I digitally sign a document saying I owe you money. The signing key
> has an expiration date.
>
> 2) Key expires. I do nothing.
>
> 3) The original document is invalidated. I no longer owe you money?
Do realize that it is necessary to resign from a practical standpoint (while
I don't agree about the implication to a signature from an expired sub-key,
yes you can set back your system clock), plus it's not the document that
makes you owe me money. You owe me the money and the document only testifies
this.
--
Jerome Baum
tel +49-1578-8434336
email jerome at jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110507/91897d8f/attachment.htm>
More information about the Gnupg-users
mailing list