Web lists-archives.com

Re: Expired GPG keys of older release




On Wednesday, June 20, 2018 10:25:25 PM Ben Finney wrote:
> In other words: Yes, it's inconvenient, but it's because *no one can
> know* with confidence any more whether that key has been compromised.

Well, I should study up more on keys and expiration, but isn't the situation 
much the same before the key expires?  I mean, the issuer / owner of the key 
really doesn't know whether the key has been compromised?  

(There might be / probably is less chance it has been compromised (in 
congruence with your last paragraph, quoted below), but, the person that 
breaks a key doesn't report to the owner that he has done so ;-)

> So that does put it into the same category as “who the hell knows
> whether this signature is associated with the key owner”.
> 
> That's just a fact that follows from the finite lifetime of the security
> of a given key. The longer it's been out there, the larger the window
> for compromise; and we're now outside the window where the key owner
> warrants to still be in control of that key. Don't trust whatever
> signatures you find with that key any more.