| 1 |
On Fri, Mar 25, 2011 at 10:53 AM, Andreas K. Huettel wrote: |
| 2 |
>> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 |
| 3 |
>> > that the validity should be <6 month. What is the protocol when the |
| 4 |
>> > expiry date is approaching? |
| 5 |
>> |
| 6 |
>> I'd say that should be changed. With keys changing every half a year, |
| 7 |
>> we're soon going to have a tree spammed with Manifests signed using |
| 8 |
>> expired keys. |
| 9 |
> |
| 10 |
> Correct me if I'm wrong, but that does not invalidate the signature (if it was made before expiration). |
| 11 |
|
| 12 |
it does not. the only thing that matters when checking signatures is |
| 13 |
that the key was valid *when the signature was made*. the fact that |
| 14 |
you're checking the signature years after the key expired is |
| 15 |
irrelevant. |
| 16 |
-mike |
Archives