ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] details of 4880bis work

2015-04-16 08:08:20
from [Christoph Anton Mitterer] [Permanent Link] 
On Thu, 2015-04-16 at 08:02 -0400, Phillip Hallam-Baker wrote: 

That is an important requirement but putting the time info into the
fingerprint is not the only way to address it.

How else would you want to do it? If you don't also put it in the
fingerprint, than we could e.g. meet at a signing party, exchange our
FPs,... I forget to sign yours, but remember a year later. I still have
the fingerprint, but if that would stay the same, even though other
dates have been set, I wouldn't notice this.


Operating PKIX, the lifetime of root keys and root certs is very
different. Rolling over a root with the same key is common.

Which I think is a questionable practise...



That's why I think, that creation and expiration times should be
immutable once the key has been created; at least not without
invalidating all signatures (i.e. those from other users).

At that point we are authenticating a self signed cert, not just the
key and the dynamics are different.

?

Cheers.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] details of 4880bis work, Christoph Anton Mitterer
Next by Date:  [openpgp] Opening up the debate on PKI / WoT / future of OpenPGP, ianG
Previous by Thread:  Re: [openpgp] details of 4880bis work, Phillip Hallam-Baker
Next by Thread:  Re: [openpgp] details of 4880bis work, Derek Atkins
Indexes:  [Date] [Thread] [Top] [All Lists]