[arch-general] signature from "Thorsten Tpper <xxx at xxx.xxx>" is unknown trust
Gaetan Bisson
bisson at archlinux.org
Mon Jan 28 23:26:13 EST 2013
[2013-01-29 04:51:49 +0100] Karol Babioch:
> Am 29.01.2013 04:37, schrieb Gaetan Bisson:
> > Dave's answer certainly misses the real question of why Thorsten would
> > want an expiration date on his GPG key,
>
> Because its good and common practice. There are several reasons for
> this, one of which is a compromise. When you got compromised and lose
> your revocation certificate, too, the key will expire at some point in time.
So instead of impersonating you for the rest of your life, the attacker
who compromised your key can only do so for a whole year? Well, only a
few hours generally suffice for them to cause terrible damage - that is
certainly true with Arch's package signing infrastructure.
Expiring keys trade ease-of-use for a fake sense of security, so better
avoid them and actually secure your key and revocation certificates.
> I'm not sure about GPG, but in case of X.509 it also helps to keep the
> certificate revocations lists (CRL) short, as certificates, which are
> expired anyway, don't have to be listed here explicitly.
In my opinion, that's a moot technical point which does not concern GPG.
Cheers.
--
Gaetan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20130129/c5377fef/attachment.asc>
More information about the arch-general
mailing list