On Fri, Mar 25, 2011 at 10:53 AM, Andreas K. Huettel wrote: >> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 >> > that the validity should be <6 month. What is the protocol when the >> > expiry date is approaching? >> >> I'd say that should be changed. With keys changing every half a year, >> we're soon going to have a tree spammed with Manifests signed using >> expired keys. > > Correct me if I'm wrong, but that does not invalidate the signature (if it > was made before expiration).
it does not. the only thing that matters when checking signatures is that the key was valid *when the signature was made*. the fact that you're checking the signature years after the key expired is irrelevant. -mike