On 12/3/2013 6:20 PM, Hauke Laging wrote:
> Imagine a certificate which is always prolonged for just one day. If this
> gets
> compromised then it will not be prolonged any more (at least not by its owner
> but we all love our highly secure offline mainkeys, don't we?) so everyone
> will notice that within hours.
1. The attacker can just extend the validity himself. He's
successfully compromised the key, after all.
2. As a consequence of #1, no one will notice.
There are certainly reasons to limit certificate and/or subkey
lifetimes, but these reasons are principally to comply with regulations,
policies and/or laws -- not so much because doing so is a security
best-practice.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
