ietf-openpgp
[Top] [All Lists]

Re: Behavior of implementations regarding certain key material

2000-05-31 01:36:55
* hal(_at_)finney(_dot_)org wrote:
The problem is that we don't have a mechanism for securely timestamping
signatures.

There are techniques to do so (eternity log, ...) but they are
contraproductive on signature generation. Timestamps are optionally on
reception. In most cases they are generated implicit by starting an
business action.

If someone breaks or steals an expired key, they can create a back-dated
signature with it.

German politics generated a (not required) appendix to the law, prohibitting
specifically to back-date a computer while signing a document. So I can not
happen. :-)

In my opinion it is risky to rely on a signature by an expired key.

No.

PGP versions 5.0 and later do not use expired keys in trust calculations.

Bad choice.

<Prev in Thread] Current Thread [Next in Thread>