[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [openpgp] details of 4880bis work

On Thu, 2015-04-16 at 08:02 -0400, Phillip Hallam-Baker wrote: 
> That is an important requirement but putting the time info into the
> fingerprint is not the only way to address it.
How else would you want to do it? If you don't also put it in the
fingerprint, than we could e.g. meet at a signing party, exchange our
FPs,... I forget to sign yours, but remember a year later. I still have
the fingerprint, but if that would stay the same, even though other
dates have been set, I wouldn't notice this.

> Operating PKIX, the lifetime of root keys and root certs is very
> different. Rolling over a root with the same key is common.
Which I think is a questionable practise...

> > That's why I think, that creation and expiration times should be
> > immutable once the key has been created; at least not without
> > invalidating all signatures (i.e. those from other users).
> At that point we are authenticating a self signed cert, not just the
> key and the dynamics are different.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

openpgp mailing list