Best practice for periodic key change?

Jerome Baum jerome at jeromebaum.com
Sat May 7 13:59:42 CEST 2011


On Sat, May 7, 2011 at 04:33, Grant Olson <kgo at grant-olson.net> wrote:

> On 5/6/2011 10:05 PM, Hauke Laging wrote:
> >
> > Several people have mentioned that a signature does not become invalid by
> > expiration of the key. That is formally correct an describes the GnuPG
> > behaviour. But with regard to content in such a case there has to be an
> > additional proof that the signature has been made before the key expired.
> This
> > is a formal rule in e.g. the German signature law. If you want to use
> legally
> > accepted signatures for proving documents then you have to sign both the
> > document and the old signature by a new key (i.e. one with a later
> expiration
> > date) before the old key expires.
> >
>
> I know nothing about German laws, but that just doesn't sound right to me.
>
> 1) I digitally sign a document saying I owe you money.  The signing key
> has an expiration date.
>
> 2) Key expires.  I do nothing.
>
> 3) The original document is invalidated.  I no longer owe you money?


Do realize that it is necessary to resign from a practical standpoint (while
I don't agree about the implication to a signature from an expired sub-key,
yes you can set back your system clock), plus it's not the document that
makes you owe me money. You owe me the money and the document only testifies
this.

-- 
Jerome Baum

tel +49-1578-8434336
email jerome at jeromebaum.com
-- 
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110507/91897d8f/attachment.htm>


More information about the Gnupg-users mailing list