On Thu, Apr 23, 2015 at 11:48 AM, Derek Atkins <derek(_at_)ihtfp(_dot_)com>
wrote:
Christoph Anton Mitterer <calestyo(_at_)scientia(_dot_)net> writes:
On Mon, 2015-04-20 at 23:50 -0700, Jon Callas wrote:
Personally, I think that the present way things are done is
syntactically fine. Semantically, there are many bogosities. You can
time-limit your signature on a key, but no one ever does.
As I've explained before, I don't think that this is the same as
hardcoding it into the key, as it wouldn't change the fingerprint, would
it?!
No, it would not, which is IMHO the right thing.
I.e., IMNSHO I feel you should expire your key by expiring your
self-signature on the key. If you want to extend your key then you
re-sign it with a new self-signature.
You are not expiring a key. That is impossible in any PKI and almost
certainly undesirable.
What you are doing is expiring an assertion binding between the key to
a set of attributes. Similarly you are not revoking a key, you are
making an irrevocable and permanent assertion that the key is not
valid.
Being precise about these things is going to be important if we are
going to actually clean up OpenPGP and not add more confusion.
It is quite possible to set a key fingerprint for expiry however. We
simply take a fingerprint of an assertion that includes an expiry
time.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp