Re: Expired GPG keys of older release
- Date: Thu, 21 Jun 2018 07:47:53 -0400
- From: rhkramer@xxxxxxxxx
- Subject: Re: Expired GPG keys of older release
On Wednesday, June 20, 2018 10:25:25 PM Ben Finney wrote:
> In other words: Yes, it's inconvenient, but it's because *no one can
> know* with confidence any more whether that key has been compromised.
Well, I should study up more on keys and expiration, but isn't the situation
much the same before the key expires? I mean, the issuer / owner of the key
really doesn't know whether the key has been compromised?
(There might be / probably is less chance it has been compromised (in
congruence with your last paragraph, quoted below), but, the person that
breaks a key doesn't report to the owner that he has done so ;-)
> So that does put it into the same category as “who the hell knows
> whether this signature is associated with the key owner”.
> That's just a fact that follows from the finite lifetime of the security
> of a given key. The longer it's been out there, the larger the window
> for compromise; and we're now outside the window where the key owner
> warrants to still be in control of that key. Don't trust whatever
> signatures you find with that key any more.