Best practice for periodic key change?
Grant Olson
kgo at grant-olson.net
Sat May 7 22:31:34 CEST 2011
On 5/7/2011 7:54 AM, Hauke Laging wrote:
> Am Samstag, 7. Mai 2011, 04:33:17 schrieb Grant Olson:
>
>> 1) I digitally sign a document saying I owe you money. The signing key
>> has an expiration date.
>>
>> 2) Key expires. I do nothing.
>>
>> 3) The original document is invalidated. I no longer owe you money?
>
> Whether you owe me money does not depend on signing any documents in general.
> :-) Documents are usually just a proof.
>
> You can still claim that somebody owes you money but the document does not
> have the same legal value. What courts decide is another question...
>
Yes, of course.
> But the fiscal authorities don't accept digital bills (probably the most
> frequent use of legally qualified signatures here) which are signed by expired
> keys only. You need a chain of signatures which prove that there was a non-
> expired signature at any point in time.
>
> For the same reason it makes sense to have digitally signed documents signed
> by another key (not just the document but the document together with the
> signature) at once when you get them. Because you cannot know whether and if a
> key will be revoked in the future. The moment it is revoked and you cannot
> prove the signatures being older than the revoke all signatures are dead.
>
Okay, now I understand. It sounds like you're talking something like a
digital notarization. That makes sense now.
--
Grant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110507/6b02c94c/attachment.pgp>
More information about the Gnupg-users
mailing list