Key expiration question
Peter Lebbing
peter at digitalbrains.com
Tue Jun 13 15:02:35 CEST 2017
On 13/06/17 09:55, Chris Horrocks wrote:
> At first I thought it may be a mechanism for revalidating private
> key ownership but key expiration doesnt appear to impact on trust or
> validity.
An expired key will definitely not be able to issue valid signatures
after the expiration date. So any certifications made after the expiry
will definitely not influence the validity of another key either, either
positively or negatively.
I don't know how certifications made before the expiry are handled. So,
I don't know whether some other keys either lose their validity after
the expiry or they keep their validity.
So I disagree that expiry doesn't impact trust and validity.
> So I thought it may be a mechanism for time constraining key
> use but there doesnt appear to be anything in the RFC to mandate the
> handling (or not as the case may/should be) of expired keys.
Not everything that is needed for a sane implementation is in the RFC.
Expiring your key will certainly force your correspondents to see if
there is anything new about it if they still want to verify your
signatures or encrypt messages to you (you can't encrypt to an expired key).
You ask what the purpose is of key expiry, but I think it has multiple
possible purposes. I'd phrase it as "what is the mechanism of key
expiry" and then decide whether that mechanism fits the purpose you have
in mind or not. Supposing that you do have a purpose in mind.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170613/1abfff6f/attachment.sig>
More information about the Gnupg-users
mailing list