On Wed, Jun 08, 2005 at 02:09:59AM +0200, Per Tunedal Casual wrote: > True, but it might be convenient anyhow. The shorter the time, the safer > the guess! > > One way is to assume that the key is attacked immediately and that all the > security is in the passphrase. Make an estimation of the strength of the > passphrase and you are done!
But then, the safe guess would be that the attack did start immediately when the key was generated, not when the signature was added. So, following your logic, you should never sign a key older than your estimated passphrase-guessing-time. I guess one should leave that decission to the key owner. The signature only tells one thing: This key belongs to person XYZ. And nothing about key security. Signature expiration dates are useful when "person XYZ" is not (only) a natural person, but some kind of role account (eg. "CEO of Company ABC"), where that role is not a permanent one, but may change in future. Currently, I can't imagine other sensible uses for signature expiration (but I'm not claiming there aren't - it's only my limited imagination). Yours, Jan _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
