On Sunday 16 March 2008, David Schwartz wrote: > > Doesn't what you suggest create a headache? Every time I want to > > decrypt an > > old message I sent or I received, or a file, I will need to > > change the mail > > client configuration and point it to another private key. > > One would hope your mail client will allow you to keep any number of key > pairs for decryption use, with one selected as 'active' to be the default > for encryption. > > > Keeping the same > > key overcomes this problem. Have I got this right? Why is it > > not feasible > > to retain the same private key? > > You can retain the same private and public key but generate a new > certificate if you wish. The problem is that this reduces the security by > extending the lifespan of the key. This may be entirely reasonable if the > lifespan of the certificate is based on other concerns than the lifespan of > the key. > > For example, suppose I create a public/private keypair that I don't think > anyone can break for 50 years. If I make the certificate valid for 30 years > because of this, it would obviously be a bad idea to keep the same key for > a new certificate. On the other hand, if I make the certificate valid for > two years because I can only assure that the identity in the certificate > will belong to the key owner for that long, there's no harm in re-using the > same key in the next certificate if I know the identity is good for another > two years. (The key being safe for 48 years rather than 50 is a negligible > difference, but don't renew the certificate for the same key forever.)
Thanks guys! I have understood the principle of this now. Let's hope that I will not mess things up when I migrate from this PC to another and lock myself out of accessing my (older) docs and emails. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.