Renewing expiring key - done correctly?
Hauke Laging
mailinglisten at hauke-laging.de
Wed Dec 4 00:20:10 CET 2013
Am Mi 04.12.2013, 00:00:21 schrieb Johannes Zarl:
> Sorry for asking a possibly stupid question, but how exactly does a shorter
> validity period get you more security?
This is the security against the possibility that
a) the key has been compromised and revoked and you don't know that (because
your last certificate update was before the revocation publishing)
b) the key has been compromised and cannot be revoked (because the owner has
lost access to the secret mainkey and has neither a revocation certificate nor
a (usable) designated revoker)
Imagine a certificate which is always prolonged for just one day. If this gets
compromised then it will not be prolonged any more (at least not by its owner
but we all love our highly secure offline mainkeys, don't we?) so everyone
will notice that within hours.
On the other hand imagine a certificate which never expires and a lazy user
(who seldom uses that key). Even a year after its revocation the lazy user may
not have noticed the revocation yet. And thus encrypts critical information to
the compromised key. Or worse (because the key owner wouldn't notice): Uses it
to validate software.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131204/f1fee3b6/attachment.sig>
More information about the Gnupg-users
mailing list