On Thu, 2015-04-16 at 08:02 -0400, Phillip Hallam-Baker wrote: > That is an important requirement but putting the time info into the > fingerprint is not the only way to address it. How else would you want to do it? If you don't also put it in the fingerprint, than we could e.g. meet at a signing party, exchange our FPs,... I forget to sign yours, but remember a year later. I still have the fingerprint, but if that would stay the same, even though other dates have been set, I wouldn't notice this. > Operating PKIX, the lifetime of root keys and root certs is very > different. Rolling over a root with the same key is common. Which I think is a questionable practise... > > That's why I think, that creation and expiration times should be > > immutable once the key has been created; at least not without > > invalidating all signatures (i.e. those from other users). > At that point we are authenticating a self signed cert, not just the > key and the dynamics are different. ? Cheers.
Description: S/MIME cryptographic signature
_______________________________________________ openpgp mailing list openpgp@xxxxxxxx https://www.ietf.org/mailman/listinfo/openpgp