Renewing expiring key - done correctly?

Hauke Laging mailinglisten at hauke-laging.de
Thu Dec 5 19:47:57 CET 2013


Am Do 05.12.2013, 19:30:07 schrieb Ingo Klöcker:

> your assertion is correct.
> 
> 
> In the first scenario
> 
> > > a) the key has been compromised and revoked and you don't know that
> > > (because your last certificate update was before the revocation
> > > publishing)
> 
> it is incorrect because the attacker cannot extend the validity of the
> revoked key.

You misunderstand the attack. If you completely control the system time (which 
is not realistic for big discrepancies, of course) then you can prevent the 
certificate from becoming invalid: You never reach the expiration date.

BTW, OT: May I point you at this?
https://bugs.kde.org/show_bug.cgi?id=318005
https://bugs.kde.org/show_bug.cgi?id=326476
https://bugs.kde.org/show_bug.cgi?id=326477


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131205/84789ded/attachment.sig>


More information about the Gnupg-users mailing list