Mailing List Archive: Key lifetime

Key lifetime

Jun 8, 2000, 6:42 AM

Post #1 of 8 (1395 views)

I understand it is advisable to put an expiration date
on one's key. On the other hand my "web-of-trust" is lost
when the key expires, and I have to start from zero...

Any expert advice on key lifetime appreciated.

Thx,
Stefan

--
Stefan H. Holek, stefan@epy.co.at

Re: Key lifetime [ In reply to ]

ino-waiting at gmx

Jun 8, 2000, 8:23 AM

Post #2 of 8 (1378 views)

> Stefan H. Holek:

> I understand it is advisable to put an expiration date
> on one's key. On the other hand my "web-of-trust" is lost
> when the key expires, and I have to start from zero...

i no expeat. take easy. web-of-trust only for terroris. you use serva.
say peops fresh key fom serva time and time.

clemens peng

Re: Key lifetime [ In reply to ]

Jun 8, 2000, 9:37 AM

Post #3 of 8 (1378 views)

On Thu, 8 Jun 2000, clemensF wrote:

> > I understand it is advisable to put an expiration date
> > on one's key. On the other hand my "web-of-trust" is lost
> > when the key expires, and I have to start from zero...
>
> i no expeat. take easy. web-of-trust only for terroris. you use serva.
> say peops fresh key fom serva time and time.

i c u no expeat! fresh key no sigs! peops no trust fresh key!

;)

--
Stefan H. Holek, stefan@epy.co.at

Re: Key lifetime [ In reply to ]

ino-waiting at gmx

Jun 8, 2000, 10:29 AM

Post #4 of 8 (1378 views)

> Stefan H. Holek:

> i c u no expeat! fresh key no sigs! peops no trust fresh key!

also da hoert sich doch wohl alles was andres an! mein key is signed all
over the ch*****ning place!

clemens!

Re: Key lifetime [ In reply to ]

Jun 8, 2000, 1:43 PM

Post #5 of 8 (1380 views)

On Thu, 8 Jun 2000, L. Sassaman wrote:

> The longer the lifetime of a key, the more likely the key is to be
> compromised. If you chose to retire a key, be sure to link your new key
> with the old by signing it with the old before the old key expires.

Does this mean an expired key can still be used for computing trust?

> Note that you can make use of the fact that multiple subkeys are permitted
> in OpenPGP to address this issue partially: you expire your encryption
> keys, but keep your signing key the same.

I have also seen people have completely separate signing and encryption
keys...

But - I could still lose the passphrase for my signing key, or someone
could find a way to steal my private keyring, or ...

So, there seems to be no way around re-establishing trust (getting people
to sign my current (signing-) key) once in a while. Well, maybe this is
not too bad a thing anyway...

Thanks,
Stefan

--
Stefan H. Holek, stefan@epy.co.at

Re: Key lifetime [ In reply to ]

Jun 12, 2000, 2:11 AM

Post #6 of 8 (1377 views)

On Thu, 8 Jun 2000, L. Sassaman wrote:

> On Thu, 8 Jun 2000, Stefan H. Holek wrote:
>
> > On Thu, 8 Jun 2000, L. Sassaman wrote:
> >
> > > The longer the lifetime of a key, the more likely the key is to be
> > > compromised. If you chose to retire a key, be sure to link your new key
> > > with the old by signing it with the old before the old key expires.
> >
> > Does this mean an expired key can still be used for computing trust?
>
> Yes. Read RFC 2440 if you're really interested.

This is gnupg-USERS, isn't it?

Any user-level documentation on this? I obviously was missing that part
and consider it valuable information, but knowing the packet formats does
not help much. I am not planning to do an implementation in the near
future.

Still, thanks a lot
Stefan

--
Stefan H. Holek, stefan@epy.co.at

Re: Key lifetime [ In reply to ]

Florian.Weimer at RUS

Jun 13, 2000, 1:50 AM

Post #7 of 8 (1384 views)

"L. Sassaman" <rabbi@quickie.net> writes:

> > > The longer the lifetime of a key, the more likely the key is to be
> > > compromised. If you chose to retire a key, be sure to link your new key
> > > with the old by signing it with the old before the old key expires.
> >
> > Does this mean an expired key can still be used for computing trust?
>
> Yes. Read RFC 2440 if you're really interested.

Do you have a quote? I'm quite sure this issue is *not* covered by
RFC 2440.

--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5

Re: Key lifetime [ In reply to ]

Florian.Weimer at RUS

Jun 15, 2000, 4:50 AM

Post #8 of 8 (1379 views)

"L. Sassaman" <rabbi@quickie.net> writes:

> > > > Does this mean an expired key can still be used for computing trust?
> > >
> > > Yes. Read RFC 2440 if you're really interested.
> >
> > Do you have a quote? I'm quite sure this issue is *not* covered by
> > RFC 2440.

> So the question really comes down to, "are expired keys valid?" And that
> *is* covered by the RFC.

No, it isn't. The concept of key validty is beyond the scope of the
RFC. For example, an implementation of RFC 2440 is free to consider
all keys valid whose primary user ID happens to start with the letter
'A'. (I would be very glad if someone proved me wrong, it would make
life easier for us. ;-)

--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5