On 5/6/15 at 4:42 PM, calestyo(_at_)scientia(_dot_)net (Christoph Anton
Mitterer) wrote:
- Key expired two weeks ago. Status of a signature from three weeks ago?
IMHO not well defined.
One may e.g. choose to consider the signature still valid, but not the
key... and e.g. an implementation may then say "valid signature from a
trusted but expired key".
In addition it may e.g. make some "guess"... like when they expiration
is 5 days ago it may just print the warning... but if it was 10 years
ago it would start to flash the screen like mad and play alert sirens at
all sound devices.
This answer is clearly wrong for several useful scenarios. For example:
I am looking at a ten year old audit report for a company
prepared by an audit firm. The audit firm signed it with their
then-current key, which they change regularly, following "best
industry practices". It is not a red light alert for the key to
be expired. It is not a red light alert for the data to be old.
The only time an alert is justified is when the key expired
before the signature was made.
Cheers - Bill
--------------------------------------------------------------
Bill Frantz | There are now so many exceptions to the
408-356-8506 | Fourth Amendment that it operates only by
www.pwpconsult.com | accident. - William Hugh Murray
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp