On 23.06.20 09:56, Jeffrey Walton wrote:
[...] A signature applied during a valid key period is still good. For those following a key rotation scheme, no new signatures should occur after the key expires.
I agree. I have a related issue in my Thunderbird MUA. It keeps stating that, the - perfectly valid - signatures of signed messages I sent or received and that were created with a - now expired - X.509 certificate and private key, are invalid. Instead of verifying against my still existing private key in the MUA's keystore.
But in the big Security Engineering picture, what we've found in practice is, key continuity is better then key rotation. As long as the key does not change unexpectedly, then the key is good.
Sounds straight-forward to me.
Peter Gutmann covers all of this stuff in his book Engineering Security (https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf).
Nice read!
I wish the maintainers of Apt would read it and stop wasting our time with these keys due to broken policies.
Maybe it's configurable. Cheers, Frank
