On Tue, Oct 13, 2015 at 12:19 AM, Peter Gutmann
<pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz> wrote:
Werner Koch <wk(_at_)gnupg(_dot_)org> writes:
People have done this for X.509 keys a lot (although I heard that Mozilla now
complains about using a new X.509 certificate with key material known from
another certificate).
The practice is unfortunately far too common in the X.509 world, where the
same key is re-certified year in, year out. The end result is a worst-of-
both-worlds system where you're forced to pay a CA every year to make the
browser warnings go away, but don't get the benefit of changing your key to
limit the damage due to a compromise. It's more PKI security theatre I
guess...
X509 keys are authentication keys. You cannot go back and authenticate
things that failed after compromise.
Peter.
--
"Man is born free, but everywhere he is in chains".
--Rousseau.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp