Am Mi 04.12.2013, 00:00:21 schrieb Johannes Zarl: > Sorry for asking a possibly stupid question, but how exactly does a shorter > validity period get you more security?
This is the security against the possibility that a) the key has been compromised and revoked and you don't know that (because your last certificate update was before the revocation publishing) b) the key has been compromised and cannot be revoked (because the owner has lost access to the secret mainkey and has neither a revocation certificate nor a (usable) designated revoker) Imagine a certificate which is always prolonged for just one day. If this gets compromised then it will not be prolonged any more (at least not by its owner but we all love our highly secure offline mainkeys, don't we?) so everyone will notice that within hours. On the other hand imagine a certificate which never expires and a lazy user (who seldom uses that key). Even a year after its revocation the lazy user may not have noticed the revocation yet. And thus encrypts critical information to the compromised key. Or worse (because the key owner wouldn't notice): Uses it to validate software. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
