Renewing expiring key - done correctly?
Hauke Laging
mailinglisten at hauke-laging.de
Wed Dec 4 00:59:53 CET 2013
Am Mi 04.12.2013, 00:39:46 schrieb Johannes Zarl:
> Isn't that just a false sense of security? After all, if the key has been
> compromised, the attacker can just prolong the validity
He could but he would need the secret mainkey for that operation and...
> > but we all love our highly secure offline mainkeys, don't we?
...keys without offline mainkey on insecure systems are a security joke
anyway.
> that the owner can just issue a revocation certificate
It may be possible to prevent someone from seeing the revocation certificate.
Certificate distribution is a lot less secure than the keys themselves. But
you cannot trick someone into using an expired key.
> So in summary, the short validity period is essentially a reminder for
> people to regularly check whether the key has been revoked.
And besides security: It allows detection of dead keys on the keyservers.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131204/1e81d417/attachment.sig>
More information about the Gnupg-users
mailing list