1 |
On Fri, Mar 25, 2011 at 10:53 AM, Andreas K. Huettel wrote: |
2 |
>> > it says here http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2 |
3 |
>> > that the validity should be <6 month. What is the protocol when the |
4 |
>> > expiry date is approaching? |
5 |
>> |
6 |
>> I'd say that should be changed. With keys changing every half a year, |
7 |
>> we're soon going to have a tree spammed with Manifests signed using |
8 |
>> expired keys. |
9 |
> |
10 |
> Correct me if I'm wrong, but that does not invalidate the signature (if it was made before expiration). |
11 |
|
12 |
it does not. the only thing that matters when checking signatures is |
13 |
that the key was valid *when the signature was made*. the fact that |
14 |
you're checking the signature years after the key expired is |
15 |
irrelevant. |
16 |
-mike |