Best practice for periodic key change?

Ingo Klöcker kloecker at kde.org
Sat May 7 22:56:14 CEST 2011


On Friday 06 May 2011, MFPA wrote:
> Hi
> 
> 
> On Friday 6 May 2011 at 8:48:03 PM, in
> 
> <mid:201105062148.04108 at thufir.ingo-kloecker.de>, Ingo Klöcker wrote:
> > Unless I'm missing something the difference is as
> > follows: - With prolongation of the expiration time
> > releases signed before the  prolongation will keep
> > having a valid signature. - If one creates a new subkey
> > then releases signed with the old expired subkey(s)
> > will have an invalid signature. One would have to
> > re-sign the old releases with the new subkey.
> 
> Surely the signature on the old release would still be valid; it
> would just be from a now-expired subkey instead of from the new and
> currently-valid subkey. Or have I overlooked something?

It depends on your definition of "valid". In my book a signature can 
only be valid if the corresponding key is valid. Expired keys are not 
valid (anymore).


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110507/ff9dc08c/attachment.pgp>


More information about the Gnupg-users mailing list