On Sun, Oct 27, 2013 at 9:53 AM, Uwe Brauer <o...@mat.ucm.es> wrote: >>> "Werner" == Werner Koch <w...@gnupg.org> writes: > > > On Sat, 26 Oct 2013 22:03, o...@mat.ucm.es said: > >> know by the date of the certificate which certificate to use for which > >> message? > >> > >> - old for old messages > > > Note, that there is no need for a certificate for decryption - only the > > private key is required. The certificate is only used to show some meta > > information. > > Now I am confused. Most likely my knowledge of certificates is not > correct. (I played around with openssl to generate my own, useless, > certificates). > > I thought a certificate consists of a key pair (private/public) which is > signed by the Authority (here comodo).
Mostly correct. All that is needed to encrypt/decrypt/sign/verify messages is the public/private keys themselves. The certificate is a signed, structured format that binds a particular public key to an identity (be it an email address, a name, a website, etc.). The certificate is for public consumption: Comodo is asserting to the world that this particular public key (and it's corresponding private key, which only you know) belongs to you (or your website, email, etc.). On your end, all you need is the private key to decrypt messages encrypted to your public key. You don't need a certificate to decrypt messages that had already been encrypted to that public key -- a certificate may expire at a certain time, but the private key has no baked-in expiration date. > When I apply for a certificate, the keypair is generated by the crypto > module of the browser and then signed. Correct. > So I thought when I apply for a new certificate a new key pair > is generated which gets signed again. Correct, though it is possible (but usually recommend against) to create a new certificate using the same private keypair as before. In general, you should create a new keypair when applying for a new certificate. > But your comment above seems to indicate that the old pair gets a new > signature. Is this correct? But what if I apply with a different > browser I applied the last time. I interpreted Werner's comment to mean "In order to decrypt messages encrypted to you, you only need a private key. You don't need a valid certificate to decrypt old messages that were encrypted to a now-expired certificate." If you generate a new keypair for the new certificate (which is probably a good idea) then gpgsm (and presumably any other certificate-using software) will figure out what private key will be needed to decrypt a particular message and, so long as you still have the private key on your system, will use it as needed even if the corresponding certificate has expired. Cheers! -Pete -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
