Best practice for periodic key change?

Ingo Klöcker kloecker at
Sat May 7 23:08:10 CEST 2011

On Sunday 08 May 2011, Grant Olson wrote:

You seem to send messages from the future. ;-)

> On 5/6/11 3:48 PM, Ingo Klöcker wrote:
> > On Thursday 05 May 2011, Hauke Laging wrote:
> >> What is the difference between these two options with respect to
> >> the point of confusion?
> > 
> > Unless I'm missing something the difference is as follows:
> > - With prolongation of the expiration time releases signed before
> > the prolongation will keep having a valid signature.
> > - If one creates a new subkey then releases signed with the old
> > expired subkey(s) will have an invalid signature. One would have
> > to re-sign the old releases with the new subkey.
> Nope.
> The old releases won't have an invalid sig as long as the sig was
> made before the expiration date.  Expiring a key now doesn't
> invalidate a sig made yesterday.  Gpg will print out a note saying
> the key is expired, but it's not as drastic as the error with a
> post-dated signature.

Ahh. My bad. Thanks for the heads up. I wasn't aware of this difference 
between signatures made before and after the expiration date.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110507/2a4df9d3/attachment.pgp>

More information about the Gnupg-users mailing list