Best practice for periodic key change?
Ingo Klöcker
kloecker at kde.org
Sat May 7 23:08:10 CEST 2011
On Sunday 08 May 2011, Grant Olson wrote:
===============
You seem to send messages from the future. ;-)
> On 5/6/11 3:48 PM, Ingo Klöcker wrote:
> > On Thursday 05 May 2011, Hauke Laging wrote:
> >> What is the difference between these two options with respect to
> >> the point of confusion?
> >
> > Unless I'm missing something the difference is as follows:
> > - With prolongation of the expiration time releases signed before
> > the prolongation will keep having a valid signature.
> > - If one creates a new subkey then releases signed with the old
> > expired subkey(s) will have an invalid signature. One would have
> > to re-sign the old releases with the new subkey.
>
> Nope.
>
> The old releases won't have an invalid sig as long as the sig was
> made before the expiration date. Expiring a key now doesn't
> invalidate a sig made yesterday. Gpg will print out a note saying
> the key is expired, but it's not as drastic as the error with a
> post-dated signature.
Ahh. My bad. Thanks for the heads up. I wasn't aware of this difference
between signatures made before and after the expiration date.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110507/2a4df9d3/attachment.pgp>
More information about the Gnupg-users
mailing list