Best practice for periodic key change?

Grant Olson kgo at grant-olson.net
Sat May 7 22:31:34 CEST 2011


On 5/7/2011 7:54 AM, Hauke Laging wrote:
> Am Samstag, 7. Mai 2011, 04:33:17 schrieb Grant Olson:
> 
>> 1) I digitally sign a document saying I owe you money.  The signing key
>> has an expiration date.
>>
>> 2) Key expires.  I do nothing.
>>
>> 3) The original document is invalidated.  I no longer owe you money?
> 
> Whether you owe me money does not depend on signing any documents in general. 
> :-)  Documents are usually just a proof.
> 
> You can still claim that somebody owes you money but the document does not 
> have the same legal value. What courts decide is another question...
> 

Yes, of course.

> But the fiscal authorities don't accept digital bills (probably the most 
> frequent use of legally qualified signatures here) which are signed by expired 
> keys only. You need a chain of signatures which prove that there was a non-
> expired signature at any point in time.
> 
> For the same reason it makes sense to have digitally signed documents signed 
> by another key (not just the document but the document together with the 
> signature) at once when you get them. Because you cannot know whether and if a 
> key will be revoked in the future. The moment it is revoked and you cannot 
> prove the signatures being older than the revoke all signatures are dead.
> 

Okay, now I understand.  It sounds like you're talking something like a
digital notarization.  That makes sense now.

-- 
Grant

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110507/6b02c94c/attachment.pgp>


More information about the Gnupg-users mailing list