[Top] [All Lists]

Re: [openpgp] New fingerprint: to v5 or not to v5

2015-10-12 23:19:40
Werner Koch <wk(_at_)gnupg(_dot_)org> writes:

People have done this for X.509 keys a lot (although I heard that Mozilla now
complains about using a new X.509 certificate with key material known from
another certificate).

The practice is unfortunately far too common in the X.509 world, where the
same key is re-certified year in, year out.  The end result is a worst-of-
both-worlds system where you're forced to pay a CA every year to make the
browser warnings go away, but don't get the benefit of changing your key to
limit the damage due to a compromise.  It's more PKI security theatre I


openpgp mailing list