On 05/06/2011 13:48, Jerome Baum wrote:
On Fri, May 6, 2011 at 22:37, Doug Barton <do...@dougbarton.us
<mailto:do...@dougbarton.us>> wrote:
I don't understand this response. What I'm saying is that if the key
is compromised, expiration dates become irrelevant.
Up to a point. If my key expired yesterday, no-one can forge a message
with that key and claim it's from today.
That's absolutely not true. New signatures can be created with expired
keys, and as Werner pointed out new signatures can be created with keys
that have had their expiration dates updated, and although a percentage
of users may inquire about it, it's usually the "know just enough to be
dangerous" contingent (I.e., those smart enough to know that the key is
expired on their key ring, but not smart enough to refresh it). There
may be a tiny percentage of users who are smart enough to do both, who
would then realize that the signature is invalid. However given that the
scenario you described (forgery, vs. key compromise) is so
overwhelmingly unlikely to happen (at least in any kind of meaningful
way) I'm not sure it's worth considering.
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
