On Tue, Jun 14, 2005 at 02:58:32PM +0200, Jan Niehusmann wrote: > On Wed, Jun 08, 2005 at 02:09:59AM +0200, Per Tunedal Casual wrote: > > True, but it might be convenient anyhow. The shorter the time, the safer > > the guess! > > > > One way is to assume that the key is attacked immediately and that all the > > security is in the passphrase. Make an estimation of the strength of the > > passphrase and you are done! > > But then, the safe guess would be that the attack did start immediately > when the key was generated, not when the signature was added. So, > following your logic, you should never sign a key older than your > estimated passphrase-guessing-time. > > I guess one should leave that decission to the key owner. The signature > only tells one thing: This key belongs to person XYZ. And nothing about > key security.
In general I agree. There is one spot in GnuPG where the behavior is slightly different than this - if you sign a key that has an expiration date (key expiration), then by default the expiration date of your signature will be that date. This was added because in v4 OpenPGP keys, there is no notion of a "hard" expiration date. We currently only have a "soft" expiration date that can be extended. It's one of those little fiddly details that come up now and then. > Signature expiration dates are useful when "person XYZ" is not (only) a > natural person, but some kind of role account (eg. "CEO of Company > ABC"), where that role is not a permanent one, but may change in future. > > Currently, I can't imagine other sensible uses for signature expiration > (but I'm not claiming there aren't - it's only my limited imagination). They're also useful for a CA or a CA-like entity, who want to verify for a artifically short period of time. For example, something like keyserver.pgp.com, which verifies only for 2 weeks to force users of your key to refresh frequently. Or take a CA that sells certifications - they want you to buy another signature after a year :) David _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
