> Doesn't what you suggest create a headache? Every time I want to > decrypt an > old message I sent or I received, or a file, I will need to > change the mail > client configuration and point it to another private key.
One would hope your mail client will allow you to keep any number of key pairs for decryption use, with one selected as 'active' to be the default for encryption. > Keeping the same > key overcomes this problem. Have I got this right? Why is it > not feasible > to retain the same private key? You can retain the same private and public key but generate a new certificate if you wish. The problem is that this reduces the security by extending the lifespan of the key. This may be entirely reasonable if the lifespan of the certificate is based on other concerns than the lifespan of the key. For example, suppose I create a public/private keypair that I don't think anyone can break for 50 years. If I make the certificate valid for 30 years because of this, it would obviously be a bad idea to keep the same key for a new certificate. On the other hand, if I make the certificate valid for two years because I can only assure that the identity in the certificate will belong to the key owner for that long, there's no harm in re-using the same key in the next certificate if I know the identity is good for another two years. (The key being safe for 48 years rather than 50 is a negligible difference, but don't renew the certificate for the same key forever.) DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]